I think this would complicate salting (making rainbow tables or brute force attacks easier). The client needs to know the salt so on a fresh device I think you're limited to
- using the username as a salt
- adding a second secret input field for the salt
- allowing the client to request a salt without authentication (which would verify the existence of an account)
& after trying to solve those problems, there's still mTLS or passkeys that offer better security anyways.
A password manager may be extra work but it's pretty minimal nowadays. On Chrome, it will automatically offer to generate passwords in signups and save them. If you add a Google, it will sync passwords between devices. Sure, everyone may not want this, but it's easy for less tech savvy people and still fairly secure
& after trying to solve those problems, there's still mTLS or passkeys that offer better security anyways.
A password manager may be extra work but it's pretty minimal nowadays. On Chrome, it will automatically offer to generate passwords in signups and save them. If you add a Google, it will sync passwords between devices. Sure, everyone may not want this, but it's easy for less tech savvy people and still fairly secure