For enterprise, the ability to shut out a user with one click is the overriding security feature.

I don’t know why anyone wants to use a federated identity to sign into things. Where did the messaging that it’s more secure come from, Google?

Your OAuth provider can also vouch for anyone who pretends to be you, if they so desire. They can give access to anyone, including themselves.

Slight tangent.

The only way to preserve privacy while having a central and easy authentication mechanism I can think of is to use IndieAuth[0] which is built on top of OAuth 2.0.

Of course, you will need to be your own provider, using an IndieAuth provider service defeats the purpose, which is what I see most IndieWeb devs are doing.

You will need to own a (sub)domain though.

[0] https://indieweb.org/IndieAuth?redirected=IndieAuth

"It's a privacy nightmare."

Privacy nightmare in the real world, "tech" company wet dream in SillyCon Valley

I've done a bit of experimentation in this area. Check out https://lastlogin.net/.

You may also be interested in the FedCM protocol Google is working on.

Though given most people use gmail or outlook, the two main oauth providers (Google and Microsoft) will know anyway

It also makes authentication Not Your Problem. Getting someone else to handle password resets alone seems worth the squeeze.

Corporations aren't interested in preserving privacy, quite the opposite. If you need OAuth for private use you'd have to roll out your own centralised directory.

I wouldn't call it a nightmare. It's a well documented design choice

Centralised identity is basically the government... and having some other entity behave the same way is not good.

there are some emerging mechanisms for offline verification that don't require AS in the OAuth WG. (I'm working on one of them)