Just shipped knowless — a different answer to "how do you log people in."
The honest truth about most data breaches: the password isn't the real problem. The problem is everything that leaks alongside the password. Full name. Email. Phone. Recovery email. Preferences. Profile fields you forgot you collected. The cleanup email reads "your password may have been exposed," but what was actually exposed is your customers' identity.
knowless flips it: don't collect any of that to begin with.
Email comes in to receive a sign-in link. Email goes out as a sign-in link. The address itself is scrambled into an opaque tag the moment it arrives, then discarded. The database literally does not contain anyone's email. A breach reveals random-looking strings that match nothing, anywhere.
Two ways to use it:
• "Sign in, then do the thing" — a normal login.
• "Do the thing, confirm by email" — drop a pin, post a comment, share a link without an account, and the email confirmation creates the account in the background.
Both are one library. Pick whichever fits the moment.
If you want to talk to your customers, do it in the app. If you want them to receive a marketing email, knowless is the wrong tool — by design. There is no "send a welcome message" button to accidentally press. There is no survey integration. There is no birthday email. There is the sign-in link and nothing else.
The pitch to anyone building anything: most services don't need to be a nuclear vault for identity. Eight ways to log in to the same account — password + 2FA app + SMS backup + recovery email + social login + WebAuthn + magic link + OAuth — exists because the industry decided every account is precious. For most apps, it isn't. The cost of that vault is the breach risk you're now afraid of.
First customer ripped out 33× the amount of auth code they were maintaining and replaced it with one library call. They store no identity now. If they get breached tomorrow, the news headline is "some hashes leaked" — not "20,000 customer profiles exposed."
Open source. Apache 2.0. Walks away at version 1.0 — done is a feature. Especially for security infrastructure.
https://github.com/hamr0/kn...