Basically a devil's advocate: I have a person in my family, a personal computer user since 80s-90s, who still can't fully understand the concept of authentication realms, i.e. news.ycombinator.com.
From my observations, they would try to type in "the" username and password to "unlock" the system everywhere, and in the process realizes that special instruction applies, and jumps to an ever growing switch-case statement in the exception handler, that routinely skips and punches through the bottom. No matter what or how I speak about an identity being a set of [domain,id,secret], it would not stick. The schema was carved in stone long ago and isn't changing. I've naturally tried converting them to a password manager, it didn't matter. Falling into installing WinZip, twice, and subsequently paying for it was far easier than using it, apparently. Whenever a login process could not be completed, the system is considered to have "became unusable", and signup flow is repeated to again "unlock" the system.
To include such kinds of common people, reducing situations that realms matter is crucial. Passwordless login such as SMS and e-mail magic links is one way, password sharing among websites(dangerous) is another, and OAuth/OpenID/federated login is among those.
A user that feel uneasy typing XY account passwords on a browserish popup that claims to be a part of the legitimate "Login with XY" flow is not a normal user. That is a competent, near-developer power user.
From my observations, they would try to type in "the" username and password to "unlock" the system everywhere, and in the process realizes that special instruction applies, and jumps to an ever growing switch-case statement in the exception handler, that routinely skips and punches through the bottom. No matter what or how I speak about an identity being a set of [domain,id,secret], it would not stick. The schema was carved in stone long ago and isn't changing. I've naturally tried converting them to a password manager, it didn't matter. Falling into installing WinZip, twice, and subsequently paying for it was far easier than using it, apparently. Whenever a login process could not be completed, the system is considered to have "became unusable", and signup flow is repeated to again "unlock" the system.
To include such kinds of common people, reducing situations that realms matter is crucial. Passwordless login such as SMS and e-mail magic links is one way, password sharing among websites(dangerous) is another, and OAuth/OpenID/federated login is among those.
A user that feel uneasy typing XY account passwords on a browserish popup that claims to be a part of the legitimate "Login with XY" flow is not a normal user. That is a competent, near-developer power user.