[Users] Migrating account authentication from basic POP to OAuth2

[Paul]

On Wed, 21 Dec 2022 13:46:42 -0500
Jeffrey Walton <noloader at gmail.com> wrote: 

> What the security community found (through years of trial and error,
> and security usability studies), is that most users are in the group
> that is labeled as "not in their right mind." You have to design a
> system that works around the user's bad choices and bad behaviors.

Rather than a pragmatism leading to a grey/brown gruel for everyone, I was
focused on why "you have to". The security community is not looking at the
reasons for people's approach to security or to change their approach, but
instead accepting it as it is and attempting to deal with it. It is much
easier, of course, to look at things in isolation.

Anyway, that is a different thing entirely from the point I was making, which
is how those pushing oauth2 insinuate that oauth2 is somehow more secure than
username+password+TLS, by calling them "less secure" etc. Their aim, perhaps,
is to keep the blinkers on rather than empower through greater knowledge.
And, I would say, this does not bode well for the future. In fact, just look
at the last twenty years and we get a good idea of where this is all heading.

with regards

Paul

PS
Don't reply to me and the list address. You have to be subscribed to post,
therefore I will see your response when sent to the list address only.