
Is it time to ditch passwords for apps? - crneff
http://blogs.csc.com/2016/02/11/is-it-time-for-password-less-apps/
======
EGreg
In apps we build on the Qbix Platform, we use oAuth 2 to generate session
tokens in the native app. No password needed.

But how do we set up user accounts in the first place? Most of our users come
from being invited by a friend. That invitation contains a unique link which,
when clicked, allows the user to access their account. So they get an account
and all their followers in one tap! And start using it immediately. Then when
they download the native app, they sign in using oAuth 2. Everything is fast
and secure and the only time they ever need to set up a password is when they
want to set up an account on some shared public device. And even then, they
could simply use their phone to verify the login, even if they get no
cellphone signal.

Source:
[http://qbix.com/platform/features/invitations](http://qbix.com/platform/features/invitations)

This is just some of the thousands of things we took care of so your apps
don't have to. Another cool thing: all session ids are signed with an HMAC
when generated, so your load balancer won't need to do any I/O when deciding
to reject bogus requests. This reduces the impact of DDOS attacks on your app
once it becomes well-known.

