Interesting approach, would the code sent to the user be a TOTP ?<p>Because a 5 digit code holds much less entropy than traditional passwordless tokens, it would be easier to brute force if the validation endpoint is not properly implemented (rate-limiting and deleting the challenge after N failed responses).