That’s a very good point and indeed it is a potential attack vector.
I’ll have to think about that. Perhaps I can get away with not tying the passport hash to a particular user.