Interesting use case. I'm really enjoying this discussion.
I'm guessing this could be solved if 3rd Party apps register to handle "news.ycombinator.com" links. I don't think there's any enforcement by apple or google that you actually own the domain.
There specifically is enforcement by Apple with the new Universal Links feature (which that auth0 article talks about)
Without the enforcement, it's arguably not secure unless the user is prompted "do you want to open this link in Xyz.app"
With the enforcement (you have to upload a special file to web server(s) for the domain(s) you want to "claim" for your app) third party's cannot have the same level of integration (which is not limited to just auth - I'd love Twitter links to open in by native, non official client)
Honestly I think the "solution" already exists and just needs polish:
- Better password managers built in to browsers/os's
- MUCH better handling of private keys and client certs on user devices (add client cert syncing via iCloud Keychain for example)
I'm guessing this could be solved if 3rd Party apps register to handle "news.ycombinator.com" links. I don't think there's any enforcement by apple or google that you actually own the domain.