In my opinion, the Passwordless (new universal) login experience could be greatly improved if the user could input a password as well.
Current problem:
- Database connection creates the user automatically, BEFORE verifying their email. This is awful UX because you leave it up to the developer to handle the verification in their application code.
What should be the flow:
-
User signs up with Email, enters OTP delivered to Email inbox
-
User successfully verifies email, Auth0 asks for a password
-
User signs into the application with email_verified=true
-
User relogs back into the application with email address
-
Verifies OTP
-
Verifies Password
-
DONE
This is how all almost all other login systems behave? Why is this? Because MFA on passwordless is a nightmare.
Email OTP + Password is technically MFA (2FA). Email OTP + SMS is not a secure way to do 2fa, Authenticator apps are a struggle for the user as well