[mark242]

Because the alternative is pretty provably worse for you, and for them.

* You have to save your (hopefully unique!) email/password in a password manager which is effectively contradictory to your "I won't use a cloud service" argument.

* The company needs to build out a whole email/password authentication flow, including forgetting your password, resetting your password, hints, rate limiting, etc etc, all things that Google/Apple have entire dedicated engineering teams tackling; alternatively, there are solid drop-in OAuth libraries for every major language out there.

* Most people do not want to manage passwords and so take the absolute lazy route of reusing their passwords across all kinds of services. This winds up with breached accounts because Joe Smith decided to use his LinkedIn email/password on Midjourney.

* People have multiple email addresses and as a result wind up forgetting which email address/password they used for a given site.

Auth is the number one customer service problem on almost any service out there. When you look at the sheer number of tickets, auth failures and handholding always dominate time spent helping customers, and it isn't close. If Midjourney alienates 1 potential customer out of 100, but the other 99 have an easier sign-in experience and don't have to worry about any of the above, that is an absolute win.

[kxrm]

All very thoughtful arguments but I think this solution to these problems is flawed. I don't believe we should be solving authentication management problems by handing over all authentication capabilities and responsibilities to one or two mega companies.

Especially since those companies can wield this enormous power by removing my access to this service because I may or may not have violated a policy unrelated to this service.

There has to be a better way.

[mindcandy]

While we are all waiting for the world to sort these problems out, companies that are not interested in solving them for the world will continue to use SSO techniques.

I’m very not impressed by this deep, extended critique of machine learning researchers using common security best practices on the grounds that those practices involve an imperfect user experience for those requiring perfect anonymity…

[fragmede]

there's web3, where users have a private key and the public key is on a cryptocurrency chain, but adoption there has been slow. there's also a number of problems with that approach, but that's the other option on the table.

I want to believe, but sadly there's no market for it. unless someone wants to start a privacy minded alternative to auth0, and figure out a business model that works , which is to say, are you willing to pay for this better way? are there enough other people willing to pay a company for privacy to make it a lucrative worthwhile business? because users are trained to think that software should be free-as-in-beer but unfortunately, developing software is expensive and those costs have to be recouped somehow. people say they want to pay, but revealed preferences are they don't.

[skybrian]

There is: passkeys and alternative password managers.

[marssaxman]

All of what you say may well be true, and yet: everyone else on the internet manages to make it work.

Password managers don't have to be cloud services. The user gets to choose.

Some of us like to use a different email address for each account on purpose.

[rurp]

You make it sound untenable to support email/password auth, but given that the vast majority of low tech and high tech online services manage it just fine, I think you might be exaggerating a bit. Since Midjourney is already outsourcing their auth flow, they could just as easily use a third party that supports the most common form of account creation.

[mikae1]

> People have multiple email addresses and as a result wind up forgetting which email address/password they used for a given site.

Effectively you mean that people have multiple Google accounts?