[dan-k]

I actually would say it's relatively good as hacks go. It does a pretty good job of keeping the end goals in mind while dealing with some really tough obstacles. For one, it's browser agnostic, which makes the system much more manageable for all involved. In addition, it doesn't rely on people using the same copy of the same browser each time they sign in for any significant part of its functionality, and minimizes security risks if multiple people use the same browser. There's no way a browser-based solution could address any of those problems in the foreseeable future, if ever, and that not only would create huge headaches for developers, but would also alienate significant portions of users who still use public systems for at least some of their internet access.

Completely aside from that, I'm not sure I see why you think browser support would be so much better of a solution, aside from having a more uniform interface. Combating phishing is primarily an issue of being intelligent about what sites you give your information to. Any decent form-based authentication system will send the data in an encrypted form, which will be as secure as data encrypted by the browser's built-in authentication system. Just having the browser as a middleman doesn't help if your data gets sent to or intercepted by the wrong people, and Firefox, at least, already has a good system for warning users about malicious sites.

[charlieok]

Mainly, I hate the proliferation of passwords, and I hate typing those passwords in all the time. I'd rather consolidate those down into a handful of distinct purpose-specific identities that I have some ownership and control over.

Also, you wrote: "Just having the browser as a middleman doesn't help if your data gets sent to or intercepted by the wrong people".

Actually, having the browser more directly involved does help with this, because it can use strong authentication when negotiating a TLS session.

By "strong authentication", I mean the authentication protocol has security features which make it useful over an untrusted network in the presence of eavesdroppers or even active adversaries looking to pull off a man-in-the-middle attack.

Client certificates are a good example of this and are supported by today's browsers but there are UX problems there.

It's not that the forms-based system doesn't work. I just think it could be a lot better.

Just consider how much easier it is today to stay in a "walled garden" social network than to be an active commenter on a large number of independent blogs.