From just the headline I thought the question was slightly different however: JWT with requires time, UA, IP and some decay of variance of these customisable via an integer value from 0 to 100. Let the user choose?
LOL.
No device fingerprinting via JS or any 3rd party as I believe in users' liberty.
So, how the user gets the above JWT:
Is any authentication needed?
Is they want to opt in, how's a trip code?
An account name recoverable via email. Or secret. Or SMS. Or remembering last account action? Or a combination?
For a sensitive action, what's the tradeoff between verification and convenience? Against what sort of actor?
SMS is exclusionary. Which works if you want to exclude non US/EU phone dependent users and target those that care little about security or privacy.
From just the headline I thought the question was slightly different however: JWT with requires time, UA, IP and some decay of variance of these customisable via an integer value from 0 to 100. Let the user choose?
LOL.
No device fingerprinting via JS or any 3rd party as I believe in users' liberty.
So, how the user gets the above JWT:
Is any authentication needed?
Is they want to opt in, how's a trip code?
An account name recoverable via email. Or secret. Or SMS. Or remembering last account action? Or a combination?
For a sensitive action, what's the tradeoff between verification and convenience? Against what sort of actor?
SMS is exclusionary. Which works if you want to exclude non US/EU phone dependent users and target those that care little about security or privacy.