Pre-determined emails, sms and an mfa passwordless flow

I have a list of verified email addresses and phone numbers. I have an SPA. I’d like to do this:

  1. Create users from that list as passwordless users. I am currently doing this, and it’s working fine.
  2. Send emails to those users from our email service provider that includes a link with an identifier. It could be an invitation, but it doesn’t have to be.
  3. That link takes them directly to a landing page, not a login completion page with a redirection.
  4. When a button on the landing page is clicked, the identifier is used to look up the email address and phone number. A challenge is started against that phone number.
  5. The user is asked to provide the code sent via SMS.
  6. On completion, the email and SMS factors are satisfied.

I want this to be two-factor (email, sms) from that point on. Any factor can be changed as normal, but in the beginning, they have to use the email and phone number in our list.


  1. How would you approach this?
  2. If I need to use the MFA API, how do I use ROPG without a password?