Random thought: the centralization of authentication to a few big OAuth providers like MS and Google, combined with services that time out your cookies and force relogins every so often, makes phishing people so much easier.
Want someone's account creds? Just pop up something that looks like a ms or google login form, odds are they're so conditioned by login fatigue that they'll automatically type their creds and TOTP token into it.
In the old days, when I had to explicitly log into a specific system that I was manually navigating to, things were harder to phish because you'd have to impersonate *that site* at exactly the time I was intending to log in.
Now, I can be in the middle of a workflow doing something else and a random OAuth popup asking for my credentials appears. Is it my VPN? Mail client? Internal service X? Who knows.
If you have a fediverse account, you can quote this note from your own instance. Search https://ioc.exchange/users/azonenberg/statuses/115697725202006443 on your instance and quote it. (Note that quoting is not supported in Mastodon.)
