We are having an app running and identify our users using Facebook Login. Unfortunately Facebook Login isn't the best way to log in to an app and our users want something different. So, we're trying to discuss a new way of logging into our app. We came up with a "passwordless" login solution which is basically a web-thing and not yet very common in smartphone apps.
One idea is to let the user enter his username and email on registration and save this to our web service. The user gets an email with his login credentials or a link with a token that identifies him within the app. The problem might be that email is the wrong medium for an app login confirmation.
A second idea is to generate a local token and use this as "password" which is synced across the users devices via e.g. iCloud. This way we have no clue if the user is actually "real".
Our third idea is a bit of a mix where the user only needs a password when he want's to login on an different device.
So, what do you think could be the best way to implement such a mechanism into a cross-platform smartphone app?
Have we completely missed something important?
I would appreciate productive suggestions.
I think your first option is the best despite what you say about email being a bad medium.
If you don't somehow tie the session to an email, the user will have nothing to restore such session in the future that doesn't resemble a password. Also, it would make it trivial to impersonate someone else's mail. You need mail in the equation, otherwise you'd just send a token on the service response as if it were a login call.