| Depends what you need. From just the headline I thought the question was slightly different however: JWT with requires time, UA, IP and some decay of variance of these customisable via an integer value from 0 to 100. Let the user choose? LOL. No device fingerprinting via JS or any 3rd party as I believe in users' liberty. So, how the user gets the above JWT: Is any authentication needed? Is they want to opt in, how's a trip code? An account name recoverable via email. Or secret. Or SMS. Or remembering last account action? Or a combination? For a sensitive action, what's the tradeoff between verification and convenience? Against what sort of actor? SMS is exclusionary. Which works if you want to exclude non US/EU phone dependent users and target those that care little about security or privacy. |