What is truly wild about #nostr is that everyone is a peer. So it doesn't matter if the client initiates the authentication transaction or the provider.

So I built both options - especially good for a provider (physician) who has a crappy desktop without a camera, but the patient has their phone.

Or vice-versa - a physician with a phone in the field needing to authenticate to someone's crappy camera-less tablet.

The challenge and response is handled invisibly via websockets and NIP-17-like DMs. 100% secure and no authentication overlord in the middle.

Honestly, I don't know of any system that can authenticate like this, and you get this practically for free (with some engineering) in #nostr.