.@ Tony Finch – blog

This message contains a good rant about single sign-on:

The fact that “users don’t necessarily want to have to manually authenticate each time some service wants authentication” is not the reason we want to promote single sign-on. We don’t want the user to manually authenticate every time because doing so trains the user to supply their credentials so frequently that they will not think it is strange when they are asked to provide them to an attacker. The only way to prevent phishing attacks are by training users that they only authenticate in very small number of circumstances that rarely occur.