Re: Certificate pinning plus strong authentication = WIN
> Have DNS-over-HTTPS backed by DNSCRYPT convey the correct CA for the site you’re about to use
That only helps you as far as your chosen resolver. Someone capable of answering queries from your resolver can still send an incorrect response.
Also, how do you intend to authenticate the HTTPS connection you're placing DoH over, given there's now no locally trusted store? Is the browser vendor going to pre-approve some (in which case, you've still got a problem of trusting someone you haven't vetted, and who might get compromised).
What you've done here is moved the security challenge from one place (the browser/OS's trust store) to another (DNS). It presents different challenges, but crucially, as a user you've now got less control (you may not want to, but you can currently go through and disable roots you don't want to trust).
> Then to ensure phishing can’t happen, just force users to use tokens.
Nice idea, but you'd need to get buy in from every disparate service operator, worldwide. Otherwise, part of the push-back you'd get from the userbase would include them going to your competitor who doesn't require 2FA.
Forcing things onto users never really pans out too well, even at smaller scale (new password policy at work? Checked whether there's been an increase in post-it orders?)
> authenticate using their phone with a QR code (similar to WhatsApp).
That works because Whatsapp is already tied to their phone, and that phone is running your app.
If you start requiring users to run your app on their phone to use your service, you're likely to see that newer users go to a competitor instead (depending on your service, honestly, that'd include me).
Using something like TOTP would be more viable as it gives users more flexibility, but even that still gets pushback.
There are no simple answers. There's plenty that sounds idyllic as an improvement, but once you add meatbags to the equation they tend to go awry.