You have a couple of options.

If you use the hosted login pages/authorization code grant, disabling all grants in the application settings page will prevent people from logging in. If you use the login API and have customer-based API keys, you could turn on the 'require API key for login API' and then disable the customer's API key. If you have the Enterprise plan, you could set up an IP ACL for a unroutable IP range.

However, the easiest way to make sure an application cannot be logged into is to deactivate the application.

As of 1.62.0, FusionAuth supports pre-verification of emails and phone numbers.

More details:

https://fusionauth.io/docs/lifecycle/manage-users/verification/identity-pre-verification-using-email

https://fusionauth.io/docs/lifecycle/manage-users/verification/identity-pre-verification-using-phone