Programmatically verify that someone owns a particular ETH address, without asking for his private keys

So i'm wrapping my head around this issue. I want to verify that a user of my app owns a particular ETH address. I found out that i could use web3 to make the "signature message flow". But as far as i understand, at some point the user needs to use his private keys to sign the message. I dont want to ask the user his private keys (obviously). How do i go about this? I thought about using something like Metamask to make the signature, but what if the user uses any other crypto-wallet to store his crypto? how do i go about this?