Any reason Uuid is required for user IDs?

[laurikari]

I'm looking to add passkeys to a system that doesn't have UUIDs for users. Instead, a shorter random string with a wider vocabulary is used.

Am I understanding it correctly that webauthn-rs takes the opinion that users must have a Uuid, and that's it?

[Firstyear]

Correct. You can however do "uuid from bytes" if you have some other form of smaller unique binary unique id.

The reason we enforce uuids, is that there are "one too many developers" who don't realise the permanence of the field and that it can never be changed. As a result embedding PII is a huge issue, and even despite warnings people still did it. We took a strongly opinionated view and we want to force good behaviour here which is why we enforced UUID.