Questions about passwordless connections

I am looking into passwordless connections and have a few questions:

  1. Auth0 allows you to sign in with a new email address/phone number and effectively sign up. We don’t want people to sign up with another email address/phone number if they just wanted to sign in, but forgot what email address/phone number they used initially. How can we figure out if we can distinguish between sign-ins with known emails address/phone numbers and sign-ups with unknown ones without becoming vulnerable to user enumeration attacks.
  2. What are the limitations of the users created out of the passwordless connection?
    • can a passwordless entity hold metadata, role, etc?
    • What MFA options can such a user use?
  3. Can the limitations be overcome by creating a regular user account in Auth0 and linking a passwordless one with it as a secondary?
  4. What are the limitations of the Passwordless with Magic links?
    • Magic Links are not supported in New Universal Login. Is there still a way to use them for us?
    • What metadata can be specified in the magic link?
    • What are the refresh token usage limitations with the magic link and how it can affect us