People dislike usernames, they want to be able to choose non-unique ones rather than end up with user53267 or something inane.
People lose devices, just storing a secret UUID in their cookie, or using a passkey from their device isn't going to work.
There is no ideal solution except to blend a variety of things together, for some people email is pretty stable for long time and they like it as the identity, for others their usernames are stable and they prefer that as the identity... though I know of no-one that has had the same primary device for more than years (not decades) so perhaps that one will never work.
I do think this is important though, where it comes up a lot is a work email account, a first.last@company.com, and how all of the vendor software utilises "Sign in with Google", and it's the email address they then store in the vendor app as the identifier...
People get married, people get divorced, people transition, people move culture and choose new names... names change, and so do email addresses.
Perhaps OIDC and the like needs a new extension: a standard API to change a username, and a standard API to change an email address.
Have you heard of key event receipt infrastructure (KERI)?
It solves the identity problem with decentralized identifiers though the secret sauce is the fractionally weighted multisig for enabling multi-device signing and account recovery with key rotation.
Emails change, people lose access to old emails.
People dislike usernames, they want to be able to choose non-unique ones rather than end up with user53267 or something inane.
People lose devices, just storing a secret UUID in their cookie, or using a passkey from their device isn't going to work.
There is no ideal solution except to blend a variety of things together, for some people email is pretty stable for long time and they like it as the identity, for others their usernames are stable and they prefer that as the identity... though I know of no-one that has had the same primary device for more than years (not decades) so perhaps that one will never work.
I do think this is important though, where it comes up a lot is a work email account, a first.last@company.com, and how all of the vendor software utilises "Sign in with Google", and it's the email address they then store in the vendor app as the identifier...
People get married, people get divorced, people transition, people move culture and choose new names... names change, and so do email addresses.
Perhaps OIDC and the like needs a new extension: a standard API to change a username, and a standard API to change an email address.
It solves the identity problem with decentralized identifiers though the secret sauce is the fractionally weighted multisig for enabling multi-device signing and account recovery with key rotation.
See the specification for more details: https://www.ietf.org/id/draft-ssmith-keri-00.html
Or the whitepaper: https://github.com/SmithSamuelM/Papers/blob/master/whitepape...