diff --git a/README.md b/README.md
index f442a32..1502a0f 100644
--- a/README.md
+++ b/README.md
@@ -89,6 +89,7 @@ The available flags are:
       --assertion string                                    claims for jwt bearer assertion
       --audience strings                                    requested audience
       --auth-method string                                  token endpoint authentication method
+      --authentication-code string                          authentication code used for passwordless authentication
       --authorization-endpoint string                       server's authorization endpoint
       --browser-timeout duration                            browser timeout (default 10m0s)
       --callback-tls-cert string                            path to callback tls cert pem file
diff --git a/cmd/oauth2.go b/cmd/oauth2.go
index c886778..d0dffca 100644
--- a/cmd/oauth2.go
+++ b/cmd/oauth2.go
@@ -89,6 +89,7 @@ func NewOAuth2Cmd(version, commit, date string) (cmd *OAuth2Cmd) {
 	cmd.PersistentFlags().StringVar(&cconfig.Purpose, "purpose", "", "string describing the purpose for obtaining End-User authorization")
 	cmd.PersistentFlags().StringSliceVar(&cconfig.Prompt, "prompt", []string{}, "end-user authorization purpose")
 	cmd.PersistentFlags().StringVar(&cconfig.MaxAge, "max-age", "", "maximum authentication age in seconds")
+	cmd.PersistentFlags().StringVar(&cconfig.AuthenticationCode, "authentication-code", "", "authentication code used for passwordless authentication")
 
 	cmd.PersistentFlags().StringVar(&sconfig.TokenEndpoint, "token-endpoint", "", "server's token endpoint")
 	cmd.PersistentFlags().StringVar(&sconfig.AuthorizationEndpoint, "authorization-endpoint", "", "server's authorization endpoint")
diff --git a/internal/oauth2/oauth2.go b/internal/oauth2/oauth2.go
index d0f20c7..a7ce6b0 100644
--- a/internal/oauth2/oauth2.go
+++ b/internal/oauth2/oauth2.go
@@ -94,6 +94,7 @@ type ClientConfig struct {
 	Purpose                string
 	Prompt                 []string
 	MaxAge                 string
+	AuthenticationCode     string
 }
 
 func RequestAuthorization(cconfig ClientConfig, sconfig ServerConfig, hc *http.Client) (r Request, codeVerifier string, err error) {
diff --git a/internal/oauth2/request.go b/internal/oauth2/request.go
index 617cd6f..c587d08 100644
--- a/internal/oauth2/request.go
+++ b/internal/oauth2/request.go
@@ -69,6 +69,10 @@ func (r *Request) AuthorizeRequest(
 		r.Form.Set("max_age", cconfig.MaxAge)
 	}
 
+	if len(cconfig.AuthenticationCode) > 0 {
+		r.Form.Set("authentication_code", cconfig.AuthenticationCode)
+	}
+
 	if cconfig.IDTokenHint != "" {
 		r.Form.Set("id_token_hint", cconfig.IDTokenHint)
 	}
@@ -156,6 +160,10 @@ func (r *Request) AuthorizeRequest(
 		if len(cconfig.MaxAge) > 0 {
 			r.Form.Set("max_age", cconfig.MaxAge)
 		}
+
+		if len(cconfig.AuthenticationCode) > 0 {
+			r.Form.Set("authentication_code", cconfig.AuthenticationCode)
+		}
 	}
 
 	if cconfig.DPoP {