A long time ago I wrote a variant of this - the signup page would generate a token, place it in a hidden password field, submit a hidden form, and instruct the user to click the "Save password" dialog in their browser. One advantage of this was e.g. Chrome would sync the password immediately across all your devices (in some ways this was a privacy violation, although one that the user had to explicitly opt themselves into). New sessions (e.g., if you reset or lost your browser's stored passwords) still happened via email verification, though.Today I would just use passkeys.
anderspitman|2 years ago
I don't support passwords on any of my services. Emailed magic links and SSO are the encouraged methods, even with all the tradeoffs. I've considered allowing users to generate tokens similar to OP, but some percentage of them will be emailed around and pasted into phishing sites etc.
But something like this could work as an option, especially if it could integrate with a couple popular password managers as well. Not sure if that's even possible.