biometric login (and device registration)

[tobowers]

Having to copy the long list of words is clearly not ideal, but we also don't want to let users choose weak passwords. So instead, lets use Webauthn and FIDO.

• Create a nonce and store it in the browser (there is a browser credential API).
• Sign the nonce with the browser's WebAuthn ( https://webauthn.io/ ) functionality and use the signature generated from that as the seed for the private key.

What that lets you do is sign in with your biometrics (touchbar, touchid, faceid, etc) or whatever the platform supports (all major browsers now support webauthn). Still show the words as a backup phrase (like normal crypto). \

Device Auth:
Basically: "It looks like you aren't signed in on this device... enter the following code on your logged in device" kinda thing (maybe a QR code too).

stay logged in on your phones browser and scan the code for instant access

skynet offers nicities that make this pretty easy where in trad-web you'd have to setup a bunch of infrastructure. Because both sides of the new device and the old device can know known keys to look for.

[tobowers]

hmm - a drawback of this is that it ties you to one portal (without using the backup)