I have been reading the documentation regarding the passwordless authentication using SMS or Email, and I would be interested on using it to protect some endpoints of my backend API.
My users will use a mobile native application, and the will login and signup using their credentials. For example, I will have two endpoints like:
/onboarding (sign up)
Since these endpoints will receive the password of the user, I would like to protect them better having authorised the user through email or SMS in advance. This way, my idea of how the flow should work is like:
- User types their email in the app.
- An email is set to the user with a code.
- The user types the received code in the app.
- The user receives an auth token that allow them to only use the /onboarding endpoint.
- The user can signup using the auth token and their credentials.
- The server will implement: https://auth0.com/docs/api-auth/tutorials/using-resource-owner-password-from-server-side for further providing authorization to other endpoints/resources.
For the sms or email code I looked at: https://auth0.com/docs/connections/passwordless/ios-email-swift
but it looks that it is deprecated. Is there still any way of using this flow natively (with custom UI), from a mobile application (REST interface)?