OK, you mix two different things.
Authentication: Either provide the users with username and password. Or better, have them generate a key pair and send you a public key. Then create a new username and register the public key with the username. Then they can login with the private key. There are other options obviously.
See also https://winscp.net/eng/docs/guide_public_key
Server Fingerprint: In SSH/SFTP, the client/user has no verify server key. In GUI clients, you usually get a confirmation box on the first connection, which gets cached somewhere after being confirmed. When using an API, you have to specify a fingerprint of trusted host key for every connection. In WinSCP .NET assembly, the