• Ulrich@feddit.org
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    3 months ago

    It’s all of the above at once. It’s hard to think of another identifier that hits them all.

    I already gave you one. The username.

    It’s not a communication method outside of the platform it’s on.

    Why is that necessary?

    It looks like your complaint is as a user, not the service owner?

    My complaint, as someone who hosts a variety of services, is that setting up an email server is ridiculously complicated, costs money, and is completely unnecessary.

    Recently Ghost updated their software to add 2FA for email. Not TOTP or Passkeys, or anything actually secure, those are still unavailable. After updating I was completely locked out of my own account because it was trying to verify my login using a system that doesn’t exist on my install. It was a super annoying and completely unnecessary problem I had to deal with.

    I wouldn’t run a project like that, but feel free to start one up.

    Great, I’ll just go ahead and fork every open source project in existence on my own to remove this feature using the software engineering degree and the time I don’t have.

    • MagicShel@lemmy.zip
      link
      fedilink
      English
      arrow-up
      4
      ·
      edit-2
      3 months ago

      Then you’re just going to be at the mercy of the people that do maintain these things. I realize maybe my response was taken as disagreement or argument but it really wasn’t meant that way.

      As a product owner I’d want a way to contact or validate a user for customer service or service management reasons. Self service password reset, etc.

      But I’m interested in anonymity and if there were another good solution I’d be all ears. I’m not trying to defend email, just curious what mechanism could take its place. Some sort of cryptographic signature might work, though I would have to think carefully about no separate communication/ confirmation channel. I could see offering someone to use any identity of their choosing which would allow them as much anonymity and freedom of choice as they wanted. It’s an interesting challenge.

      • Ulrich@feddit.org
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        edit-2
        3 months ago

        Then you’re just going to be at the mercy of the people that do run these things

        I wasn’t asking for a way around them, I’m asking why they exist and suggesting we collectively move on from them.

        I realize maybe my response was taken as disagreement

        I didn’t take it as a disgreement, I took it as a dismissal. Rather than discussing why it’s necessary or whether it should be removed, you suggest that I create my own alternative.

        As a product owner I’d want a way to contact

        You can. We’ve already been over this. Send them a message on the platform.

        or validate a user

        How is an email address validation? I can spin one up in 3 seconds.

        Self service password reset

        You’re just creating a security vulnerability.

        I’m not trying to defend email, just curious what mechanism could take its place.

        Again, I already explained this.

        Some platforms only require a username and a passkey (not even a password). That is ideal, in my opinion.

        Email is also used to track user activity across the web, and while you know whether or not you will be tracking, collecting, and selling my activity, I don’t. Removing email eliminates that concern.

        Some sort of cryptographic signature might work

        That’s called a Passkey.

        though I would have to think carefully about no separate communication/ confirmation channel

        Again I ask, why? What is this fixation on multiple communication methods? Maybe as the user I don’t want you to have other ways of contacting me?

        If you really need it there are hundreds of alternatives.