Update (thanks to Rom van Arendonk in his comment): the steps below show a verification mechanism, for example to check if the phone number or email address is one use by the user. This is not a MultiFactorAuthentication (MFA).
By default, Mendix creates the user session after a correct login (which grants access to the user for his authorized pages, etc.) Just before the OTP form is showed!
With MFA the creation of user session which grants access to user authorized pages, etc. for the user will be done after correct login AND validation of the MFA code. That’s very important to keep in mind.
Basically it’s an easy job to do to verify a phone number or email address.
High over the following steps:
You can store the OTP in a separate entity. You need to know for which user account (association), the OTP itself and the expiration time.
It’s good to delete OTP’s after using and/or after their expiration datetime.