No-Login Web Apps: Authentication Without Accounts

Every app you use requires an account. Username. Password. Email verification. Account recovery questions. Password resets.

These are a liability. User databases get hacked. Passwords get cracked. Email verification creates tracking.

What if apps didn't require accounts at all?

No-login apps are the future. You don't authenticate *to* the app. You authenticate *with* the app. The distinction is subtle but revolutionary.

No-login means the server doesn't know who you are. It only knows you can prove a cryptographic claim.

The difference: Credential-based vs. cryptographic auth

Traditional login:

You create an account (username, password, email)
Server stores credentials in a database
You log in by sending credentials
Server verifies credentials, creates a session
Session token proves you're logged in

Problem: Server is a target. Hack the database, get all credentials.

No-login authentication:

You generate a cryptographic key pair (public + private key)
Server stores nothing (no database of credentials)
You sign a challenge with your private key
Server verifies signature with your public key
Signature proves you control the private key (proves it's you)

Problem doesn't exist. Server has no credentials to hack.

Authentication approaches

Traditional

Credential-based (Username + Password)

User remembers password. Server stores hashed password. Login = password comparison. Breach = passwords compromised. Account recovery = complex (forgot password flows).

Modern

Cryptographic (Key-based signing)

User generates key pair. Server stores only public key. Login = sign challenge. Breach = only public keys leaked (useless). Account recovery = key backup/device sync.

Hybrid

Multi-factor (Password + TOTP/WebAuthn)

Username + password + second factor. Better than password alone. Still requires password. Still has account database. Improvement, not revolution.

How no-login actually works: The challenge-response pattern

Here's the real implementation:

Cryptographic authentication flow

Setup: Generate key pair

User generates a key pair (Ed25519 or similar). Private key stays on device. Public key is shared with server (or derived from it).

User visits app. App requests a challenge from server. Challenge is a random nonce (one-time number). Server sends challenge to client.

Sign: User signs with private key

Client uses private key to sign the challenge. Signature is cryptographic proof that the user controls the private key. Only the holder of the private key could produce this signature.

Verify: Server checks signature

User sends signature + public key. Server verifies: "Does this signature match this public key for this challenge?" If yes = authenticated.

Session: Create session token

Server creates a session token (JWT, session cookie) proving user is authenticated. Token expires or requires re-signing.

The magic: Server *never* sees the private key. Only the public key and the signature. This proves ownership of the private key without revealing it.

Three approaches to no-login: Spectrum from simple to complex

📱

Browser key storage

Private key stored in browser (localStorage, IndexedDB). Key is encrypted with device password. When you log in, device decrypts key, signs challenge.

Pro: Simple. Con: Device theft = key stolen.

🔐

Hardware security key

Private key lives on hardware (YubiKey, Ledger, Windows Hello). Device can't see private key. Hardware signs challenges directly.

Pro: Most secure. Con: Requires hardware device.

🌐

Blockchain/Web3 wallet

User authenticates with wallet (MetaMask, Phantom). Wallet stores private key. Signs login challenges using wallet SDK.

Pro: Cross-app authentication. Con: Requires crypto literacy.

The real advantages of no-login

Beyond "no passwords," no-login apps have concrete benefits:

No user database = no target

Traditional apps store usernames, emails, password hashes, profile data. Hackers steal this. No-login apps don't store user data—only public keys and content. Even if hacked, attacker gets nothing about you.

No account recovery = user responsibility

Lost your password? Traditional app has "forgot password" (exploitable). Lost your private key? Tough. You own it. This is good: no weak password resets, no account takeovers.

Cross-app authentication

With one key pair, you can authenticate to multiple apps. With traditional login, each app has separate username/password. With no-login, one key works everywhere (if apps support it).

Minimal server complexity

Server doesn't manage passwords, resets, email verification, or account state. Server is stateless: it only verifies signatures. Less code, fewer bugs, easier to scale.

Privacy by default

Traditional app requires email for account creation (tracking). No-login app requires nothing. No email, no phone, no identity. You're just a public key.

No-login doesn't mean anonymous. It means the app doesn't need to know who you are to prove you're authentic.

The honest trade-offs

No-login has costs:

Lost key = lost account: Traditional app has "forgot password." No-login app has nothing. You must back up your key or you lose access to everything.
User UX responsibility: Users must understand keys, backups, device security. No account recovery means users must be their own IT department.
No account-level features: Traditional apps have "linked accounts," "account settings," "activity history." No-login apps don't have this unless they track you (defeating the purpose).
Complex key management: Multiple devices need access to same key (or different keys). Requires key backup/sync infrastructure.
Adoption barrier: Most users understand passwords. Most don't understand key pairs. WebAuthn is improving this, but we're not there yet.

These are real constraints. But they're acceptable for privacy-respecting apps where you own your data.

Who's already using no-login

It's not theoretical:

Bitcoin/Blockchain: You don't have a "Bitcoin account." You have a key pair. You log in to wallets using your key.
Signal: Uses phone number + cryptographic keys. No password.
WebAuthn (passkeys): Apple, Google, Microsoft deploying hardware-backed no-password authentication on phones and laptops.
CHRONOS: Uses cryptographic authentication (encrypted vault is unlocked by password-derived key). No traditional account database.

Adoption is growing. The 2020s will see the shift from password-based to cryptographic authentication.

Building no-login: The indie hacker path

If you're building a privacy app, use no-login. Here's the pattern:

User generates key pair (Ed25519 or EC)

On their device. Private key never leaves the device. Public key is shared.

Server stores public key (and nothing else about the user)

No username, email, password, profile. Just the public key and the user's content.

Login is challenge-response (sign + verify)

Server sends a random challenge. Client signs with private key. Server verifies signature with public key.

No account management needed

No password resets, no email verification, no account recovery. User is responsible for key backup.

Libraries: libsodium, TweetNaCl.js, Web Crypto API all have Ed25519. Use them.

The shift: From account-centric to key-centric

Traditional app architecture: Users → Accounts → Sessions → Resources

No-login architecture: Public Keys → Sessions → Resources

This is a fundamental shift. It removes the "account" layer entirely. The server goes from "managing users" to "verifying keys."

This is good. It's simpler, more private, and more secure.

In 2026 and beyond, expect more apps to drop accounts entirely. Some will use WebAuthn. Some will use blockchain wallets. Some will use custom cryptography.

The common theme: authentication happens through cryptography, not credentials. The server doesn't know who you are. It only knows you can prove you control a key.

CHRONOS

No accounts.
No passwords.

Your vault is unlocked by your key, not your account. You authenticate to your device, not to us.

Open CHRONOS