How tf are you supposed to provide working authentication without storing the email somewhere? Should i just disable password resets and tell the users to fuck off if they forget theirs? Cant even use passkeys as they make users identifiable too.

▲

pona-a 2 days ago | parent | next [-]

How do passkeys make users identifiable beyond being a random token? I recall FIDO shared hardware key serial numbers with websites, but at least on Firefox, it prompts you to deny it.

▲

zwnow 2 days ago | parent [-]

In that case one could argue emails dont make users identifiable either, if the addresses dont contain any meaningful names

▲

pona-a a day ago | parent [-]

A passkey is always one per site. Emails tend to be naturally reused, unless the visitor uses a paid aliasing service (plus trick is trivial to canonize, having a dozen mailboxes on a self-hosted email still associates them with each other, because there's no anonymity set to speak of, and major email providers like Gmail won't let you register an account today without a phone number, credit card, or passport).

	▲	zwnow a day ago \| parent [-]
		And yet your passkey and therefore app access is tied to a singular key connecting that with all the user info.

▲

K0balt 2 days ago | parent | prev | next [-]

Users need to have hard memorization or record of a paraphrase, same as a crypto wallet. Or just use web3 for auth, that can work well if users have decent opsec.

▲

wrxd 2 days ago | parent | prev [-]

That’s a trade off if you don’t want the service to know who you are