[jblox]

It uses Passkeys to secure a user's account (https://fidoalliance.org/passkeys/).

Passkeys use public key cryptography, so in this case we have a private key that remains securely on the user's device, and a public key that's stored on the server. Most modern devices are able to secure the passkey using biometrics, but users can also choose to use a password managed that supports passkeys.

[admiralB]

Seems pretty cool, what about user data then? How do you assign a key to a user?

[jblox]

The only user data required right now is either an email or mobile number, which gets verified using a code that gets sent to the email or mobile number used. The working assumption is that any consumer of this would use it alongside their own database, so there's probably no need to store anything other than the email/mobile (or username in WebAuthn terminology, this doesn't technically need to be an email or mobile, but I chose to do this so I could add a verification step to help prevent abuse of the system).

The passkey is created by the user's device and then the public key part of it is sent to the server during user registration.