If authentication and identity are new to you, please read this page, I'll be pulling quotes from it, and talking about them.
First let's talk about identity. From the Okta link above, "It is necessary to provide personal information to identify a person and then verify this identity." This is patently false. For any digital platform, who you are in the real world, and who you are on that platform need not be the same. Sure there are contexts like banking where you need to tie the two together, but in general the only identity that matters to the digital platform is whether it can tell that you are who you used to be, and to do that it need not know any personal data about you at all. Let's call this property of a digital platform, account continuity.
Second is authentication. Again from the Okta link, "Authentication...is initiated to match a user with previously provided information to ensure that they are indeed the person they claim to be." A simple implementation of this authentication is a user supplies an email and password at account creation, is granted a session for authenticating calls during that app session, and then enters their email and password at a later time to start a new session, let's call that account recovery.
In pretty much all authentication and identity systems, these three things: account creation, account continuity, and account recovery, are tightly coupled. In Sessionless, these three things can be separated. Account creation can happen without any user data whatsoever, and account continuity provided with signed API calls instead of stored sessions/jwts. Account recovery is unimplemented in Sessionless currently, but very doable. Simply add whatever account verification method you want to your app: social signin, magic links, sms codes, private key cold storage, backup codes, heck even passwords if you want. But what's interesting is you don't have to add that at account creation, so you can have a user add their backup method more organically as they learn to use your app, lowering the barrier to entry.
But isn't account recovery essential? Well, is it? I have hundreds of passwords saved in my password manager to websites and apps I'll never go to again. The few times I have tried to go back to something years later, I've often just started over with a new email rather than go through a painful forgot password flow. The thing is, that in our current world, account recovery is rare. We no longer have to login every time we open our browser, and with apps we often just stay perpetually logged in. Obviously if you do need recovery, you need it before the user needs it, but you can build it in to be something added once there's a reason to add it, rather than causing friction with onboarding up front.