I have setup a Cloudflare tunnel with OTP authentication for my domain. The problem I find is that when a user requests a pin, the email that’s sent also contains a link to the resource that’s being accessed? Why expose that? I just want the pin. I find that exposing the link in the email lowers security as anyone who get a hold of that link will have all they need to get access too. On the other hand, if the email only contains the pin, anyone with the email will not have enough info to do anything with it.
I think you should allow enabling / disabling having the link included in the OTP email.