The only user data required right now is either an email or mobile number, which gets verified using a code that gets sent to the email or mobile number used. The working assumption is that any consumer of this would use it alongside their own database, so there's probably no need to store anything other than the email/mobile (or username in WebAuthn terminology, this doesn't technically need to be an email or mobile, but I chose to do this so I could add a verification step to help prevent abuse of the system).
The passkey is created by the user's device and then the public key part of it is sent to the server during user registration.
The passkey is created by the user's device and then the public key part of it is sent to the server during user registration.