I am looking into passwordless connections and have a few questions:
- Auth0 allows you to sign in with a new email address/phone number and effectively sign up. We don’t want people to sign up with another email address/phone number if they just wanted to sign in, but forgot what email address/phone number they used initially. How can we figure out if we can distinguish between sign-ins with known emails address/phone numbers and sign-ups with unknown ones without becoming vulnerable to user enumeration attacks.
- What are the limitations of the users created out of the passwordless connection?
- can a passwordless entity hold metadata, role, etc?
- What MFA options can such a user use?
- Can the limitations be overcome by creating a regular user account in Auth0 and linking a passwordless one with it as a secondary?
- What are the limitations of the Passwordless with Magic links?
- Magic Links are not supported in New Universal Login. Is there still a way to use them for us?
- What metadata can be specified in the magic link?
- What are the refresh token usage limitations with the magic link and how it can affect us