Hi,
is it possible to do authentication without a username or email?
I would like to give my users an unlock code through some other channel. The unlock code should be kept secret and treated as a credential, so I cannot use it in place of a username, i.e. it should be subject to things like constant time comparison in database lookups.
The user can choose a password.
Also the user is given a randomly created recovery key.
Essentially this is now a user without an identifier except for three password-like credentials: unlock code, password and recovery key.
So keycloak would somehow have to look up the user by using two of the three credentials (password alone would not be enough as multiple users might use the same password)
The background to this is the German DiGA regulations prohibiting to use personally identifiable information like usernames or emails.
I am new to keycloak, but I hope to be able to use it instead of having to implement this protocol by myself.
Thanks for your help.