Authenticate a single auth record with an one-time password (OTP).

Note that when requesting an OTP we return an otpId even if a user with the provided email doesn't exist as a very basic enumeration protection.