Currently I have an app that supports Resource Owner Username and Password Authentication. I am also looking to have a supplemental application that allows a user access to certain data via a special key associated to their account that is handled with passwordless authentication.
For example, their phone number is registered in my app with Resource Owner Authentication. When a particular action is engaged, they will receive a text/email with a link to my supplemental application. This link will contain a key that is linked to their account. From here I want them to then confirm via passwordless authentication they are them if their device is not recognized.
Is this possible and okay if handled properly?