Try to find a way to keep user session without storing the passphrase (is it possible?)

[ilkamo]

No description provided.

[ilkamo]

https://webauthn.guide/

[ilkamo]

https://webauthn.io/

[ilkamo]

I had proposed a setup similar to this a while back for crypto in general (I think David was 'present' for that too)... create a nonce and store it in the browser (there is a browser credential API). Sign the nonce with the browser's WebAuthn ( https://webauthn.io/ ) functionality and use the signature generated from that as the seed for the private key. What that lets you do is sign in with your biometrics (touchbar, touchid, faceid, etc) or whatever the platform supports (all major browsers now support webauthn fido). Still show the words as a backup phrase (like normal crypto). Then do device auth for adding new devices.... basically "It looks like you aren't signed in on this device... enter the following code on your logged in device" kinda thing (maybe a QR code too).
it sounds complicated... but it's actually relatively straight forward in code and meanwhile the user gets to use their thumb to sign in
stay logged in on your phones browser and scan the code for instant access
skynet offers nicities that make this pretty easy where in trad-web you'd have to setup a bunch of infrastructure

by @tobowers

[tobowers]

looks like most desktops won't have the biometrics necessary here.