In my opinion, the Passwordless (new universal) login experience could be greatly improved if the user could input a password as well.
- Database connection creates the user automatically, BEFORE verifying their email. This is awful UX because you leave it up to the developer to handle the verification in their application code.
What should be the flow:
User signs up with Email, enters OTP delivered to Email inbox
User successfully verifies email, Auth0 asks for a password
User signs into the application with email_verified=true
User relogs back into the application with email address
This is how all almost all other login systems behave? Why is this? Because MFA on passwordless is a nightmare.
Email OTP + Password is technically MFA (2FA). Email OTP + SMS is not a secure way to do 2fa, Authenticator apps are a struggle for the user as well