I personally favour the passport/OpenID idea, from a user experience point of view.
In contrast to the problem you've stated, if I were to exclusively use my Google account to log into websites, it becomes a single point of failure if the service was down, and if it were to be compromised.
> In contrast to the problem you've stated, if I were to exclusively use my Google account to log into websites, it becomes a single point of failure if the service was down, and if it were to be compromised.
Very true. Sadly there's no real right or wrong answer here; a single point of failure but a better secured portal, or a decentralised network with arguably less secured portals.
Personally I try to use a balance of both: Twitter passports for sites I don't trust and passwords for sites I do trust. But that's just my personal preference.
> Very true. Sadly there's no real right or wrong answer here; a single point of failure but a better secured portal, or a decentralised network with arguably less secured portals.
This is exactly right. And, as you mentioned above, there are more kinds of people out there than are present in this thread.
I have a password manager and generate a new random password per site, so I don't have any desire to use a single log-in for almost all sites. However, many (most?) people reuse a single password (or a handful of them), and until that changes, they're likely much better protected by having a single well-protected authentication point.
This is exactly what I've used the 402 code for. Some API routes are available to all users, but others require paid access. If a freemium user attempts to access API routes behind the "paywall" I return the 402 code.
In contrast to the problem you've stated, if I were to exclusively use my Google account to log into websites, it becomes a single point of failure if the service was down, and if it were to be compromised.