[as300]

Correct me if I'm wrong but I've seen oauth implementations that require you to be redirected to the site you're giving credentials for to finish the flow of authentication. Wouldn't this make it a lot easier to determine that you're being phished, if you have to go to a whole different web site that warns you that you are giving external parties access to your credentials?

[anticristi]

Indeed, using OAuth everywhere would make the success of such an attack less likely. However, I feel strongly about not letting a single organization act as my identity provider. I don't like putting all eggs in the same basket.