Atproto accepts 2 forms of did did:web (their own special snowflake identity system with trusted servers managing it so its not trustless) and did:pgp which is just pgp keys. Any identity system requires a source of truth in a cryptographic system that’s the private key generated from a seed phrase (essentially same as a password) the source of truth is ur memory. The other source of proof is biometrics. Any system must come down to one of those 2 things.