@sgo Thank you for your response. We are currently using password-less connections, and we noticed a few things.
-
The accounts are not stored in the auth0 database.
- What is the difference between using the database and creating users via password-less?
- Are there any fallbacks or issues that we may encounter later on?
-
What would be the best way to identify if a user already exists by checking email & phone numbers?
Here is the list of APIs that we are using currently:
-
For login with password less
https://auth0.github.io/node-auth0/module-auth.PasswordlessAuthenticator.html#sendEmail
https://auth0.github.io/node-auth0/module-auth.PasswordlessAuthenticator.html#sendSMS
https://auth0.github.io/node-auth0/module-auth.PasswordlessAuthenticator.html#signIn -
For registration/create user
https://auth0.github.io/node-auth0/module-management.ManagementClient.html#createUser -
To get users to check user exist filter by mail and phone
https://auth0.github.io/node-auth0/module-management.ManagementClient.html#getUsers
-
We noticed that once an OTP is sent to a user, the account gets created regardless if the user was verified. This causes conflicts because we think we may get stale accounts from users not completing the verification. Are there policies that we can run to remove these accounts, or are we missing something?
-
We are also considering creating users in the database with a randomized password that will never be shared, but we enable password-less connections. Do you think this would be a better approach?
Our goal is to:
- Verify a user via SMS/Email OTP without creating a password.
-Use that same email/phone to login into their account. - Not have non-verified users created.
- Only send one registration verification code per user.
Thank you!