- app asks only for an email address on the login screen. If logout control is used, this is the only accessible screen.
- upon entry, app stores the email locally and sends it and OS ID (identifierForVendor) to server to confirm valid login. (whenever app is "fresh" (re-loaded after being cleared from memory) it does this again using stored email.)
- server checks email and OS ID against user store
if match:
- server confirms login and app continues
if no match for email:
- server rejects email
- app displays error
if match for email but not OS ID (or there is no OS ID yet):
- server generates and stores a random token and expiration timestamp on user record
- server sends email to address with a "confirm login" link that uses an app URL scheme to pass that token to the app
- app instructs user to check email on-phone to complete authentication
- user receives email, follows link (which launches app)
- app receives URL, sends included token and OS ID to the server
- server checks that token is valid and timestamp has not passed
if pass:
- server stores identifierForVendor with user record
- server confirms authentication and app continues
if fail:
- server rejects authentication
- app displays error