I'm building a web-based app centered around security, privacy, and anonymity. One of the key principals of the app is that users can store sensitive data anonymously.
As a result, I expect to outsource system authentication entirely, preferably using OAuth or OpenID.
Is this even possible? I'd like to avoid storing email addresses or any other kind of user-identifying information on my side.
A friend of mine was working on this a few years ago. His idea was to hash an email address and a thumb or fingerprint into a unique image (biometric data is just a stream of bits, and in theory a fairly unique one compared to a human-input password like "123456").
That image could then be stored on that person's devices using their own password or bitlocker, or even printed out and locked away physically. The image would be the key when shown to a webcam or uploaded, sort of a reversal of QR codes.
Of course, the image-creation would be the potential tracking point. But if that was done entirely in memory or with a free and widely-distributed key generation tool then you would probably have some legal-protection from being compelled to reveal original users' data or identities. (this all glosses over the need for wide use of biometric scanners and secure connections all around)
Edit:
Biometric data streams are slightly different each time they're taken. There is no "password recovery" if you hash a stream like this as-is, it will likely never be the same. Most dimensionality-reduction would make it far less secure, and might still leave a chance that it couldn't be reproduced.