Recently I was locked out of my own Ghost blog platform because they decided they were going to add Email 2FA. I also cannot add any other authors because that requires email verification.
Today I was looking at installing Bonfire and came across this:
Bonfire requires working email for user signups, password resets, and notifications. Most installations will need email configuration before the instance is usable.
Setting up email is a pain in the ass, costs money, is dependent on 3rd parties, violates privacy, and is just completely unnecessary. Why wouldn’t you give users the option to not use it? It’s infuriating!
Web push for notifications. Sure, there’s privacy implications, but it’s already near universal. There’s other options like ntfy.sh if you’re not limited to existing infrastructure. UnifiedPush also works well as a protocol for push notifications.
Everything else can be handled in-app. Password reset will have to be done by an admin, though it’s completely doable for a small selfhosted service.
Some of the downsides OP listed may or may not always apply, but there are always downsides. Either you have to set up your own email server (with extra maintenance burden), or your “selfhosted” app suddenly relies on third party infrastructure, like your email provider (or those of other users on your instance).