Building a secure NodeJS REST API without password

[Mandeep Gulati]

I am building a node.js REST api for an android application. During the registration phase, user chooses a username which is unique. Based on the availability of the username, he/she is allocated that username and the user is created in DB. Currently the API is exposed and all routes can be accessed by anyone.

I want to add authentication mechanism but don't want to make the end user enter any password. What should I use ? I am googling around and finding some results citing HMAC or api key based authentication but I am not able to understand everything clearly. Is there any good tutorial available for beginners that explains this ?

PS: I am using Sails.js framework for my development. 

[Александр Суховетченко]

Maybe https://passwordless.net/ can be any of help.

[Aria Stewart]

Username and passwords:

Upsides: Easy, and usually needed in the first place
Downsides: Only secure over HTTPS or with digest authentication; slow and can't use digest auth if passwords are properly strongly hashed.

Tokens / API Keys:

Upsides: Easy to check, can be structured to separate 'device authorization' from 'authentication' -- if users have multiple devices or sessions and you'd want to disable some without requiring re-login, this is a plus.
Downsides: You still have to authenticate, which means a username and password. If you use OAuth2, it's a huge, badly written, hard to understand, incomplete spec.

HMAC:

Not actually an authentication mechanism, though usable as a primitive to start building one.

SSH or other public/private keys:

Upsides: Can be securely set up with nearly no user intervention; easy to check; can do device authorization if you structure it right. You use an HMAC+signature over part or all of the request to authenticate it. Faster than verifying a strongly hashed password.
Downsides: requires some crypto understanding. Not supported in browsers.
Note: check out https://github.com/joyent/node-http-signature/blob/master/http_signing.md

[Tristan Slominski]

What you are looking for are Object Capabilities.. this is a good start http://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/40673.pdf but it is a lot to take on.