Re: The way I read this...
The problem is that *for me*, this mechanism is much weaker than the one I prefer (super spy though I am not). Sure, I can choose not to implement it on my own services. But the problem is that the services I use may try to force me to use it. I'm willing to go to literally any lengths in the service of refusal; I even enjoy it. That doesn't mean I prefer it to the right outcome. Forcing people to choose between using a weak and dangerous authn protocol and giving up useful services -- that we pay for! -- should not be considered desirable. If the people who refuse to use and protect strong passwords value so little the things those passwords protect, let them be victimised. Don't force the rest of us to subsidise their (still inadequate) safety by giving up our own.