Is there anyway of implementing a sign-up flow where a user only has to enter 1 OTP sent to their phone. We have used Twillio and implemented the OTP to be sent to phone but it seems like you have to use MFA, meaning another text has to be sent (or use an authenticator app but we don’t want this).
I don’t understand how it’s anymore secure entering 2 codes than just one. We only want a user to verify that it is their phone and then later on we use our own authentication flow where we verify their actual identity (using ID and photo of their face).
I understand that you would like guidance on setting up Passwordless SMS.
Firstly, I would like to clarify that Passwordless SMS will only send an OTP to a user’s valid phone number. The user should not be receiving two codes, as you observed. From what I can tell, it seems like you have this configured correctly with Twilio.
However, given that MFA is triggered afterward, could you please check in your Auth0 Dashboard > Security > Multi-Factor Auth to see if you have MFA enabled to Always? See below for clarity:
I suspect this setting may be causing the secondary OTP sent to the user. If so, could you please set it to Never and see if the secondary code with MFA stops?
Thanks so much for your answer. Now we only need to enter one code.
When authenticating an SMS user using the code from here: Embedded Passwordless Login in Native Applications. We are given an access token and an id token. How do we use this to implement embedded login/check a user is authenticated?