"I want to securely login my users without using passwords."
Handshake's alternative approach to authentication is easier for users and more secure for your application.
By eliminating the password you are eliminating the number one seucrity hole - user error and their insecure passwords. The authcode is generated uniquely every time and expires after a short period of time.
Handshake uses the proven cryptographic standard PBKDF2 for security. Emails and authcodes are passed over SSL, and application salts are doubly encrypted in the datastore.
You can add Handshake.js to your website in very few lines of code. In addition, it eliminates all the effort you'd normally do coding signup, login, and forgot passwords forms.
The entire framework is open sourced. You can adjust the code to your own needs. You can self-host the API portion of it, further increasing your security.
GIF goes here
There are multiple parts that make up the Handshake.js ecosystem.
The main part is Handshake.js. This library integrates with your application's form fields and talks to the API to generate the authcodes for logging in.
The API is hosted by me at no cost to you. You can self-host it if you wish. There's additional configuration available to you if you do so.
I recommend starting with the freely hosted version and then host your own when ready. Finally, there are the libraries which help ease integration into the language/framework of your choice.
Outline of the ecosystem: