> In other words, insistence on OAUTH authentication invalidates several decades' worth of > common and useful practice, for a very > dubious benefit that has been imposed on huge communities of users. I'm *not* defending the practice, but there is a benefit in terms of inserting MFA challenge/response into the workflow. It is increasingly common for organisations (thanks to their auditors/insurers) to require MFA whenever the user's primary credentials are being used. So, while it is true that a native app can trivially steal the user's credentials, it is subsequently hard to misuse them *if* MFA is always required by policy (the direction of travel for every organisation that I work with). It acts as a failsafe because the user's account ends up locked, rather than compromised, if someone tries to misuse the credentials repeatedly. It is ugly but there is a logic to it.
