continuity-auth is my attempt to fix this from first principles by using device-continuity proof as a trust signal and time (enforced via rate-limiting) as the core resource to provide a graceful, zero-trust, login-less method to prevent abuse, supporting both browsers and CLI as first-class clients.
Built with Clojure/Script, babashka, and Datalevin. Work in progress. Happy to discuss.