The Ideal User Flow

Primary auth

Start passkey discovery mode
Let the device discover the account
Confirm with Face ID, Touch ID, or PIN

Fallback auth

Request an OTP code by email
Enter the code in the same browser session
Complete login without a password

Why this works

No secret to remember
Phishing resistant
Works even when passkeys are unavailable
Avoids account enumeration

Logging In With Email OTP Codes

Simple but secure

Send a unique, time-limited 8-character alphanumeric code.
Access to the email account becomes proof of identity.
The code must be entered in the same browser session.
Users can read the email on one device and sign in on another.

Flow

User requests a login code
Server creates an auth attempt
Email delivers the code
User enters the code
Server verifies the attempt and signs the user in