I mean, they way CoinOS implemented it. Id imagine that the server just presenting a challenge that youd need your private key (or a signing app) to prove would be reasonably secure

But storing everybodys private keys on a server, even if salted or whatever they were doing, is just retarded