[anderspitman]

This is interesting. I'm not sure how I feel about it from the perspective of the user understanding what they're consenting to, but it's secure and the flow is simple.

I don't support passwords on any of my services. Emailed magic links and SSO are the encouraged methods, even with all the tradeoffs. I've considered allowing users to generate tokens similar to OP, but some percentage of them will be emailed around and pasted into phishing sites etc.

But something like this could work as an option, especially if it could integrate with a couple popular password managers as well. Not sure if that's even possible.