A number of questions around this but none that address this specifically.
Some of the users will not have email addresses.
When they register, they have to enter at least one of the two. This is then validated. If email is entered that is validated. If not then phone number is validated.
The login screen should ask for (email address or mobile phone number) and password.
Some users will require MFA.
Passwordless authentication is not what they are looking for.
For database connections (non-passwordless), the email address is always required as a minimum.
With the default Universal Login Page (ULP), the scenario is not supported, because the email field would always be required.
However, you could create a custom login UI (so, not the ULP), enable the username field for the database connection, and trigger the user registration via API call to the Auth0 Authentication API.
When the user signs up with a proper email address, you would use this value to populate the user’s email address field. If the user enters a mobile number, you would instead populate the user’s email address with a dummy email address in the background (dummy@mycompany.com) instead, which is then actually never used. And the mobile number is stored in the user’s username (and optionally additionally in the phone) field.
Of course, this then requires some more additional work: the mobile number validation requires some custom implementation, because Auth0 does not provide a default validation process for the mobile number in this kind of flow. You could use the Passwordless flow (via API) once in combination with Rules for this verification part.