Add email verification via OTP

[rishabhpoddar]

🚀 Feature

Instead of just link based verification, have OTP based verification as well. Reasons:

• People want this flow
• In case of account linking, when SSO is needed along with public tenant login, and if some SSO providers do not verify the email, then currently, we see a security issue. The reason for this security issue is that if email verification is done for the SSO provider, then the actual user may click on the link by mistake causing the attacker;s unverified SSO login to succeed. If we have OTP based email verification, then there is no scope for this mistake. The same thing applies for emailpassword login, where we reject sign ups for email password and ask users to do the reset password flow instead.
• The above point also means that we should not auto verify the email on account linking cause otherwise otp email verification won't even be asked.
• We should have both, link based and otp based methods at the same time (no need to give users the option to pick one). In case the sign ups that have the security issue mentioned above, we will automatically only do otp based and not link based.
• We also need to take into account email verification flows that happen without the user initiating the flow. There may be cases where after a user signs up, the backend lets you use the app, but then after sometime automatically sends you an email verificaiton email. In this case, only link based methods work cause the user is not on the OTP UI on their machine.

Implementation details

(Please outline any details about how this feature would e implemented. If you don't know, you can just skip this
section.)