The problem is that, its not very easy to have 10s ( or 100+) usernames and passwords in memory ( or manage them on a password manager), track if any of them are leaked etc.
From usability perspective this is better. The question is trust and security.
Can you expand on this? Having been a user of multiple password managers over the years (LastPass previously, BitWarden currently) and this is exactly why I use a password manager. I have at current count, 253 different logins/passwords all with different passwords (none of which I know) saved and accessing them is automatic in my browser and a quick search (on first time use) on Android. After that it's automatic.
My use case is not normal. I keep using different computers, sometimes I work on a newly installed OS on raspberry pi etc. I did not find a secure web based password manager the last time I checked.( I am also a little scared of storing passwords encrypted on the cloud). I am not sure if things like yubikey are better for these use cases.
I agree that keeping different usernames and passwords in your memory is not easy, but to my mind this is exactly the sue case for my password manager. I don’t need to sign in with Google because it’s just a couple of clicks to generate a username and a password I never need to remember because my password manager does that for me.
I used to use sign in with Facebook/Google like the careless pleb I was until I discovered how privacy-invasive these corps are. Am never signing in to any casual site without a proton mail coupled with Bitwarden password manager now.
The problem is I can't trust Google not to send me ads (sometimes just right in my email) related to the services am signed in to.
I sleep much better these days with the above remedy.
I stopped using OAuth "Sign in with..." because I kept of forgetting which provider I used for which website, and started recording it in my password manager. Realising how silly this was I went back to my password manager with website specific usernames and passwords.
Exact same issue here, i love the idea of it but until there is a universal OAuth I will stop using it. I’ve also not deleted Facebook despite mostly wanting to because I know it’s my OAuth for many services and some make it very hard to change.
Not sure what you mean? A good password manager (like 1Password or the thing that comes with Apple) makes it easy to keep hundreds of usernames and passwords. They will track if you are using leaked credentials, as well.
Apart from $work, I've always opted for username, password, and 2nd factor over federated authentication. A password manager makes this very easy.
There are of course tools for that, password managers are ubiquitous in digital teams. But I also just loathe having so many accounts.
Even desktop software requires accounts these days. I tried to get started on a Unity project again and I spent an hour managing accounts for all the related software instead. Half my day is logging in and out of stuff.
Without something like u2f on the originating service, I could see this attack. Never thought about it, eeek.
Let's say you were Google and to "help" people, you were going to "login on their behalf" to "index and organize" their info. No need to obtain consent, just fake a login and scrape away.
The rest of us can replace with quoted words with 'exploit', 'hack', and 'sell their personal info on the market to the highest bidder' but when Google does it, its ok.
They only require it if you already support other third-party authentication methods in the app. If you exclusively use your own authentication it is not required.
Sign in with Apple is pretty good and it doesn't ask you for a password, and you confirm with the power button/faceid if I'm not mistaken. It's very hard to spoof.
