The proper thing to do is not to zeroize the correct string memory before comparing. The proper thing is to only store the hash in the binary in the first place, not the correct string. (Although having a 2nd layer of hashing before comparing might also be a good idea, and in that case you would want to zeroize the 1st hash before comparing the 2nd hash.)
You can't not store the correct string in this case, as the key is calculated from the user's email address. There is an infinite number of possible keys. THe only way to check if the key is correct is to recalculate it yourself.
These days, I guess you could make the key an ECDSA signature for a public key embedded in the binary if you were willing to accept such long keys.