We are an enterprise customer of Auth0 and want to use embedded passwordless (phone-number-based) login, with SMS, for use in our native mobile apps.
As part of our current mobile application flow, the user receives an SMS message outside of Auth0, with a deep link that navigates them into the native app. The deep link contains metadata, including their phone number. This would make it easy for us to invoke
/passwordless/start, to initiate the passwordless flow with the phone number, without the user having to do anything.
We understand the 2nd step in the passwordless flow is to prompt the user for a one-time-use code, and call the
/oauth/token endpoint using that generated code to get auth tokens.
Ideally, we would like to avoid sending the user a 2nd SMS message, and not require the user to enter the one-time-use code to obtain a JWT.
Is it possible to customize the passwordless flow, so the user (as described in the scenario above) isn’t required to enter the one-time-use code to authenticate? Again, in this scenario, the user already arrived at the app having followed a deep link provide by us, so we know concretely that they have control of the device with the phone number associated with their Auth0 account.