How tf are you supposed to provide working authentication without storing the email somewhere? Should i just disable password resets and tell the users to fuck off if they forget theirs? Cant even use passkeys as they make users identifiable too.
How tf are you supposed to provide working authentication without storing the email somewhere? Should i just disable password resets and tell the users to fuck off if they forget theirs? Cant even use passkeys as they make users identifiable too.
How do passkeys make users identifiable beyond being a random token? I recall FIDO shared hardware key serial numbers with websites, but at least on Firefox, it prompts you to deny it.
In that case one could argue emails dont make users identifiable either, if the addresses dont contain any meaningful names
A passkey is always one per site. Emails tend to be naturally reused, unless the visitor uses a paid aliasing service (plus trick is trivial to canonize, having a dozen mailboxes on a self-hosted email still associates them with each other, because there's no anonymity set to speak of, and major email providers like Gmail won't let you register an account today without a phone number, credit card, or passport).
And yet your passkey and therefore app access is tied to a singular key connecting that with all the user info.
Users need to have hard memorization or record of a paraphrase, same as a crypto wallet. Or just use web3 for auth, that can work well if users have decent opsec.
That’s a trade off if you don’t want the service to know who you are