To use the Embedded APIs in Native applications, make sure you enable the Passwordless OTP grant at Auth0 Dashboard > Applications > Applications in your application’s settings under Advanced Settings > Grant Types. Passwordless authentication for Native applications consists of two steps:
  • Capture the user identifier in your application (the user’s email or phone number) and invoke the /passwordless/start endpoint to initiate the passwordless flow. The user will get an email or an SMS with a one-time password.
  • Prompt the user for the one-time-use code, and call the /oauth/token endpoint to get authentication tokens.
Below we list a few code snippets that can be used to call these API endpoints for different scenarios. Send a one-time-use password via email 
curl --request POST \
  --url 'https://{yourDomain}/passwordless/start' \
  --header 'content-type: application/json' \
  --data '{"client_id": "{yourClientId}",  "connection": "email",   "email": "USER_EMAIL",  "send": "code"}'
Send a magic link via email 
curl --request POST \
  --url 'https://{yourDomain}/passwordless/start' \
  --header 'content-type: application/json' \
  --data '{ "client_id": "{yourClientId}", "connection": "email", "email": "USER_EMAIL", "send": "link"}'
Send a one-time-use password via SMS 
curl --request POST \
  --url 'https://{yourDomain}/passwordless/start' \
  --header 'content-type: application/json' \
  --data '{ "client_id": "{yourClientId}",  "connection": "sms",  "phone_number": "USER_PHONE_NUMBER", "send": "code"}'
Authenticate an SMS user 
curl --request POST \
  --url 'https://{yourDomain}/oauth/token' \
  --header 'content-type: application/json' \
  --data '{ "grant_type": "http://auth0.com/oauth/grant-type/passwordless/otp",  "client_id": "{yourClientId}",  "username": "USER_PHONE_NUMBER",  "otp": "code",  "realm": "sms", "audience": "your-api-audience", "scope": "openid profile email"}'
Authenticate an Email user 
curl --request POST \
  --url 'https://{yourDomain}/oauth/token' \
  --header 'content-type: application/json' \
  --data '{"grant_type": "http://auth0.com/oauth/grant-type/passwordless/otp", "client_id": "{yourClientId}", "username": "USER_EMAIL", "otp": "code", "realm": "email", "audience": "your-api-audience", "scope": "openid profile email"}'
If you prefer, you can use the Android or iOS SDKs, which wrap this APIs in a platform-friendly way:

Customize MFA with Embedded

Customizable MFA with the Resource Owner Password Grant, Embedded, or Refresh Token flows is in Early Access. To learn more, read Product Release Stages. To participate in the early access, contact Auth0 Support.
Customize with embedded flows. Use the MFA API to allow users to enroll and challenge with factors of their choice that are supported by your application. When your application requests an oauth/token endpoint, the returned response includes the mfa_token to use the MFA API and the mfa_requirements parameter with a list of authenticators your application currently supports: 
{
  "error": "mfa_required",
  "error_description": "Multifactor authentication required",
  "mfa_token": "Fe26...Ha",
  "mfa_requirements": {
    "challenge": [
      { "type": "otp" },
      { "type": "push-notification" },
      { "type": "phone" },
      { "type": "recovery-code" }
    ]
  }
}
Use the mfa_token to call the mfa/authenticator endpoint to list all factors the user has enrolled and match the same type your application supports. You also need to obtain the matching authenticator_type to issue challenges: 
[
  {
    "type": "recovery-code",
    "id": "recovery-code|dev_qpOkGUOxBpw6R16t",
    "authenticator_type": "recovery-code",
    "active": true
  },
  {
    "type": "otp",
    "id": "totp|dev_6NWz8awwC8brh2dN",
    "authenticator_type": "otp",
    "active": true
  }
]
Proceed to enforce the MFA challenge by calling the request/mfa/challenge endpoint. Further customize your MFA flow with Auth0 Actions. To learn more, read Actions Triggers: post-challenge - API Object.