I’m not sure if this is the correct place to ask this, so if there’s a better community please direct me to it.

I’m making a web app that I plan on hosting. Users will be able to create an account on the website. The only information about the user themself I store is email and an argon2 hash of the password. All the other information stored about a user’s account is specific to and only makes sense in the context of the app.

Now, while I only have one piece of PII, I’d prefer it to be zero. Ideally I’d replace the email with a username for the purpose of uniquely identifying users. However, there’s one problem: I want to be able to send an email to a user if they forget their password so they can reset it. I don’t know if there’s a way to do this without storing their email.

Is there a way to do the mentioned functionality without storing PII? Alternatively, is there another way of handling a user forgetting their password that doesn’t require them to remember anything and doesn’t need PII?

  • CannotSleep420OP
    link
    fedilink
    arrow-up
    3
    ·
    3 years ago

    You’re approach seems like a good one. I looked into SQRL and while it’s fast and secure, it seems obscure, and asking a user to set up a type of login credential that they’ll use for multiple sites for the rest of their lives seems like a pretty big commitment that I don’t want to have to put my users through.