Just brainstorming, not sure if it will work.. and not sure if it is in line with the Mendix license policy..
An anonymous user goes to a page with a non persistable entity (could even be a different frontend application to make it more secure) where they fill in an ID and password (which of course should be stored in your backend application or tables). Filling this in will trigger logic (eg an interface) to create an object linked to the NPE and a code/password is sent to the user.
The user presses a button or link to open the associated object where you verify the code that was sent. When this is ok, you will trigger logic to duplicate the user data into another NPE where it can be updated and sent to the backend app (or tables if you are working with 1 app)