On the side, next to work and kids, I am working on a company of my wife and myself, where we develop software of all kinds. While privacy is not our core business we do want to make sure that our customers are never the product and that we store only the data that we need to store. Also for hosting we try to be careful on how we do so. We also do not do any tracking on our end for anything and we only ask info we really need (which is pretty much nothing).
For the most part that is all well. But the only thing I am struggling with is how to allow people to register accounts and manage it. The simplest way would be to just do it purely based on a username and password (with or without 2FA), but that would not allow account recovery for your average non-technical person.
The next obvious path would be to instead go for (1) 0Auth or something similar or (2) email.
(1) is not really a preferred solution as it would mean I need to integrate potential tracking software in our applications/platforms + it would mean that on the end of their social accounts that they are aware of the platforms of us they use.
(2) could have been nice if it wasn't for the madness that emails are. We can for example not simply host our own mail server without jumping through a lot of hoops and even then hoping to not get caught by some zealous spam filter.
I do not know however any solution besides these. It's a problem that I face for all our platforms and apps. How to allow users to register and recover accounts, without doing it in the more obvious non-privacy-aware solutions? For now I think that email might be the easiest, but I don't have experience with any such service that would allow us to do it for an affordable price, given we are still paying everything out of our own pockets for now...
For technical users there are very nice solutions, such as letting them store their own Private key of some key pair, just to give na example. But I know that for the average user we do probably need to manage a solution for them somehow.
The reason they need an account is for example if the app allows to do cloud syncing, or purchase something, or on another platform if you want to actually submit content yourself. Each app/plaform will have their own accounts, but I face the problem for all our (future / potential) problems.
A side question is also. If we use a payment provider such as Stripe, do these allow us to accept payments via their API without us having to store any credit card info of some kind? As that would be pretty excellent and save us a lot of trouble there to.
---
And yes I am aware that there will always be tracking anyway (logs from hosting, even though Hetzner is pretty basic in that regards AFAIK) as well as network / telecom providers, etc... But that being said, everything we can control I do like to keep that surface as limited or non-existent as possible.
Thanks! And Thank you general for building / maintaining this awesome community, has been a greet help so far in my last decade or so :) Even though I am mostly a lurker I must admit. On a funny related note this is also my third account or so, as for the first 2 I didn't register an email myself, so I do know the problem at first hand as well.
None the less if one day an email-less solution for non-technical people becomes an option I would love to use it.
I am also going to look into Passkeys, which might also be a solution. e.g. Apple's https://developer.apple.com/passkeys/
WebAuth (https://developer.mozilla.org/en-US/docs/Web/API/Web_Authent...) and FIDO (2?) are other things I'm going to look into.