have you considered that the user could decline to identify and auth with one shot keys?