Password-less Web Apps
For web applications, we have a nice secure(-ish) local container now in all greenfield browsers. A basic no-password strategy looks something like:
- First use is registration. Store a unique token for this account + device + browser trio, encrypted in a cookie or localstorage.
- In the app's account settings, provide an "Add a Device/Browser to This Account" capability URL, which folks may copy/email/text to themselves. For security: Generate this capability URL on-demand, and make it expire immediately upon use.
- Upon visiting the capability URL from step #2, via any browser on any device, all registered devices/browsers are notified, and asked to confirm the new device/browser. The capability URL should expire immediately, whether or not confirmation is successful.
- Upon confirmation from an registered device/browser, the new device + browser is added to the account, and step #1 is repeated for that new browser.
Voila, you now have a password-less, device-authed system. Implementation details such as notifications (browser? email? other?) are left to the reader. This is a gross oversimplification of what Signal, Keybase, WhatsApp, and others are already doing.
Want to see a smart implementation of password-less auth in a web app? Check out the work my friends @dyoder & @freeformflo have done over at dashkite. They're also exploring how social media might be used to help solve social problems like disinformation & extremism, instead of exacerbating them.