This is very interesting what @unwesen proposed. Some questions I’m start thinking about:
Can this all be accomplished with just a click of a link (e.g. some HTTP requests) without the user having to do anything at all?
This approach seems to bind the account to the very device / client software that has the client certificated installed. What if the user switches / loses device or re-installs / resets the software or system?
I guess it’s still imperative to bind everything to a portable identity, such as an email or a phone number, etc. Yes? If so, how to do that? A token will still have to be sent to the email upon account creation right? This approach doesn’t seem to do that at all. Am I right?
To conclude, this approach binds to device / software rather than email / Gmail. Is it more secure this way?