1👍
Let me see if I understand your intent. You have an API for which you use Tokens to authenticate. The Token is obtained via password authentication at the beginning of the session. You want to enable a way to ‘remember’ passwords so that users don’t have to login every time if that’s what they prefer, but you do not want to store passwords in plain text in the device. Is that correct?
The simplest way to achieve this would be to make the Token permanent or have a very long expiry if the user selects ‘remember me’. That way you can store a form of authentication on the device that is not the password.
This should work fine as long as you also do the following:
- When the user changes the password, invalidate all tokens on the server side.
- Generate tokens per device, present the user with a list of apps using tokens that can be revoked on their profile.
If you double hash passwords, you are basically creating a token anyways, but worse because it is linked to the password, and if the token is compromised, the password will have to be changed.