> The problem is bigger than that - we should stop making users type password at all. There should be an authentication module any website could use to store and retrieve credentials from.

We have the solution already in HTTPS client certificates. Browsers all have mechanisms for generating and storing them. The only problem is that no one uses them.

Is there JS API to use HTTPS certs to sign specific strings? Like "send 1 bitcoin to X"

> There should be an authentication module any website could use to store and retrieve credentials from.

How do you plan to do that securely?

Open truefactor:// app. Currently there is only a Web version and it has serious downsides (web crypto is a bad idea), but think of it as a Light version. Desktop apps to come later.

I was looking for more of a write up. I'm just wondering how/where the credentials get cached and how you securely know the user re-connecting is the user who previously disconnected.

Credentials are encrypted with passphrase and seamlessly stored on the server by token=sha256(passphrase). https://truefactor.io/

Site gives me a login page. I make a login and I get no information about the service just user options.

Also where is the salt stored? SHA256 is pretty easy to brute force even salted.

Email itself is salt (or rather public part of passphrase). So from email+passphrase encryptionKey is derived using scrypt. So it's actually sha(scrypt(email+passphrase))

Why would you make all of your commit messages "1", instead of explaining what the added code does in each?

I'm a single developer, imo no one will read these messages until Beta version.