Passive is good!

Some time back I wrote about avoiding handling of credentials (creation/maintenance/verification of user names, passwords, pins, etc.) in your own application code, but rather delegating that functionality to a specialized, external identity provider (IdP; This aversion should apply to even collection of credentials (e.g. asking the user for user name/password). Even that role should be delegated […]