| How about a simple one time key? I am assuming that your app is not going to store anything and has no backend at all. So Let's say your app pings the API with the email and a special loooooooong human readable string of a random words: "A horse is an grass, it feeds on animal!" Note the phrase (key) should not make sense or be correct grammatically, it could be just a bunch of words jumbled together. The API sends this to the user, the user enters the same on your page with grammatically correct one. "A horse is an animal, it feeds on grass!" Boom, you have a very high entropy, a secure paraphrase that's probably reliably secure and can be enhanced to timeout against brute force attacks. It's really up to you to what you want to do with the API and your app. Looks complex, but should be a good starting point to build something.
Goodluck! |