Six digits, no password
Why weekkii sign-in is email plus a one-time code. Every credential we refuse to hold is a liability we cannot leak.
Signing into weekkii looks the same everywhere: you type your email, we send you a six-digit code, you type the code in. That is the whole flow, on web, iOS, and Android. No password field, no "Sign in with Google" button, no magic link. This is not a missing feature. It is a decision, and the reasoning behind it is the closest thing we have to a security philosophy: every credential we refuse to hold is a liability we cannot leak.
Take passwords. If we had a password field, we would have to store password hashes, and a table of password hashes is a target. We would have to run a reset flow, one more credential path we would have to defend. None of that would fix the two problems passwords carry with them everywhere: people reuse them across sites, and people get phished for them. A password protecting your to-do list is very often the same password protecting something bigger, leaked from somewhere weaker.
OAuth avoids the hash table but replaces it with something worse for a planner. "Sign in with Google" means Google learns every time you open your planner. Sign in with Apple, same story with a different landlord. Your account recovery also now routes through a third party: whoever controls that Google or Apple account controls your access to us. Building a privacy-first app and then wiring its front door to an advertising company's identity service did not sit right.
Magic links are the fashionable answer. The problem is that links get opened by things that are not you. Corporate email scanners prefetch every URL in a message to check it for malware, which consumes one-time links before you ever see them. And when a link does survive, it opens a session in whatever browser handled the click, which may not be where you wanted to be signed in at all. A six-digit code has neither problem. Nothing prefetches a number. You read it in your inbox and type it into the app you are already holding, and the session stays exactly where you are.
The code signs you in, it never unlocks anything
Here is the part that matters most. In weekkii, authentication and encryption are two separate systems with two separate secrets, and they never touch.
The six-digit code authenticates you to sync. It proves to our server that you control your email address, so the server will hand your devices the ciphertext they ask for. That is all it does.
Your data key comes from somewhere else entirely: your passphrase. On your device, we run it through Argon2id (19,456 KiB of memory, 2 iterations, a 16-byte salt) to derive a 32-byte key, and that key encrypts every task with NaCl secretbox before anything leaves the device. The key never leaves the device. The server stores ciphertext, full stop.
So losing control of your email does not decrypt anything. Even we cannot read your tasks, and we hold the entire mail pipe: the sign-in codes go out through Resend, from our account. If an attacker somehow owned Resend, our Supabase database, and your inbox all at once, they could sign into sync and download your ciphertext. Without your passphrase, that is all it would ever be.
What it costs
We will not pretend the trade is free. Typing a code every sign-in is more friction than one tap on a Google button, and we feel it too. And email is a real dependency: it is the one external system we trust for authentication, so if your inbox is compromised, an attacker can sign into your sync account. They still read nothing, but you should know that boundary exists.
The other cost is inherited from the passphrase side: there is no reset. Not because we are stubborn, but because we never see the passphrase, so there is nothing for us to reset. Lose it and the ciphertext stays ciphertext, including for you.
Our sign-in screen is two inputs: your email, then six digits. Everything worth protecting sits behind a third prompt, the passphrase, and that one only you can fill in.