e-mailless authentication

[paboum]

Pitch

Requiring a working SMTP server is significantly increasing deployment cost and complexity.

There is also a number of reasons why e-mail should not be an identifier, especially in distributed networks: https://spaces.at.internet2.edu/display/federation/why-is-email-not-an-appropriate-user-identifier

Thirdly, we live in 2024, era of passkeys, TOTP, U2F, these are the authentication methods a modern service should strive for.

What I propose is to choose from the following:

• for the very least, drop e-mail confirmation requirement from all instances, it's up to the instance admin if they trust their users putting their addresses in their profiles, they could also rely on stronger methods as invitation keys or admin-approved registrations
• a medium option, replace e-mail with UUID or whatever unique user identifier as a key in database, allowing users to login with e-mails but also alphanumeric logins or passkeys, or others
• future-proof, make a step towards passwordless authentication, employ passkeys as default authentication method, treat existing schemes as a legacy ones or at least plan their rampdown time estimate

Motivation

Instance admins would have their lives easier during deployment. Instance operations costs would save on mailing service. Users wouldn't be at risk of their personal data leakage, nor spam, nor account theft. The whole community would be less dependant on Google's spam filters for the very least.

Besides, it's not just my request, the trend for authentication methods is already set, it's only matter of like 10 years nobody prudent will even visit sites that use e-mails for authentication.

[rasos]

Or use an IDM such as Keycloak and connect via OIDC. Keycloak usually also sends notifications via e-mail, but you could also configure it to use 2FA instead.