[novok]

I'm not quite sure if even the corporate case works properly with iOS & Android devices as the article states, otherwise you could become a 'corporation of one' and side step all of this stuff. Even the corporations look like they have to use apple or google's crap for employee devices and accounts?

[jerf]

I mean in principle. If I throw my authentication material into a lake, there's an IT department that can have authorization to re-establish it. If I throw my personal authentication material into a lake, there's really nobody who can help me. I can try to convince a large company that I'm really me, but that is indistinguishable to them from a social engineering attempt, and dealing with that is high touch and expensive. I need to be able to back up my stuff. If the aforementioned "large company" is the one holding my authentication material and anything whatsoever bobbles it, then I'm back to trying to convince them I'm me.

A "corporation of one" is still just me, so I'm not talking about trying to technically hack around things by pretending to be a corporation.

When you see it this way it becomes really clear that Google, as a corporation, is an absolutely atrociously awful company to be the ones holding the keys to my identity. But there aren't any good, big, easy, safe options. I need to be able to self-service. Or we need to create much smaller, more local (in some sense, not necessarily geographical) holders of the auth material that I can convince I am me and they can reset it if something goes wrong. But that gets into a complicated web-of-trust and that's never worked out.