I am interested in creating a kind of password without a login between the mobile application and the API (provided that I can control both). The motivation is that the need to enter the system is very annoying for users and has security risks (for example, users will reuse existing passwords), and I want users to be able to immediately start working with the application.
I am wondering if there are any methods that could work. For instance:
- Create and produce a login / password on a mobile device and save the password in the keychain.
- Register in the API using this login / password combination. This returns a token.
- Token is used on subsequent calls
Disadvantages:
- Login / passwords may be lost if the user uninstalls the application (can this be mitigated using iCloud to store the login - but will it be bad for the password?)
- The password is stored on the device (however, it is in the keychain)
So my questions are: is something like this possible and safe enough? Are there known methods for doing this?
source
share