Clarification on Email OTP Auth Flows
I am not clear on the flows of the
Email OTP auth flows.
1. SignIn with OTP - I have regular credentials setup. Seems like it replaces the password in credentials? And I would have only an email field with a button Sign In with Passcode? Or does this happen in addition to password kinda like two-factor auth without the twoFactor plugin.
2. Verify Email - self explanatory. Sent on Sign Up, user auto Signed In. Authenticated Form to input OTP and resend verification email button.
3. Reset Password - Is this for currently logged out user it seems? Reset password form with just email field. This email gets sent with the OTP and a link to your public password change password form: otp, email, new password, confirm new password? I'm generally familiar with reset links. But I think somewhere in OWASP, OTP are recommended.
I guess I can opt out of any of these just by not providing the function. I don't know th use case of SignIn with OTP for instance.1 Reply
Just do sign in with OTP. You dont need passwords or email verification since they get the OTP in their inbox. I do a combined sign in / sign up on same form.