I have a list of verified email addresses and phone numbers. I have an SPA. I’d like to do this:
- Create users from that list as passwordless users. I am currently doing this, and it’s working fine.
- Send emails to those users from our email service provider that includes a link with an identifier. It could be an invitation, but it doesn’t have to be.
- That link takes them directly to a landing page, not a login completion page with a redirection.
- When a button on the landing page is clicked, the identifier is used to look up the email address and phone number. A challenge is started against that phone number.
- The user is asked to provide the code sent via SMS.
- On completion, the email and SMS factors are satisfied.
I want this to be two-factor (email, sms) from that point on. Any factor can be changed as normal, but in the beginning, they have to use the email and phone number in our list.
- How would you approach this?
- If I need to use the MFA API, how do I use ROPG without a password?