Hi @eric.haynes
Thank you for reaching out to Auth0 Community regarding the issue that you are facing!
I am sorry for the late reply to your inquiry.
Unfortunately, the feature that you are looking for during a Passwordless authentication is not available within Auth0. By not disabling the user sign-up, you would expose your application to the following vulnerabilities:
- Account Enumeration Concern: Attackers could try to discover valid accounts. (As you have stated yourself in the post.
- Automated Account Creation Concern: Bots could create many accounts automatically
For your approach, I would recommend to implement an invite only flow where use’s are send an invitation email on sign-up.
There are ways to mitigate the these vulnerabilities within your implementation, you can review this community post on possible solutions or advice.
If you have any extra questions regarding the issue or if you have came up with a solution yourself, feel free to leave a reply on the post.
Kind Regards,
Nik