The mom-test is a good one, I'll have to think more about it. The truth is the advantages and disadvantages of various authentication systems are subtle, and hard for a lot of technical people to understand, much less care about.
Apple is a commercial corporation, and one of the biggest (by market cap) companies in the world. That gives me confidence that they'll be around for a long time, have sufficient resources to invest in security and reliability, and they have a well-established reputation for a focus on security. They do other things I don't like[1], but I think this is one area where they're setting really good precedent.
In addition, it's going to be difficult getting any sites (outside of maybe the crypto/grey-market) to adopt an auth system that doesn't let them contact their users. This is also I think a big failing of IndieAuth.
Promise is basically challenging the assumption that authentication has anything to do with both personal identity and being able to contact a user.
If a site needs to contact the user, it's reasonable to ask for eg. an email. But now the intent of asking for an email has to be crystal clear, which makes you and them more aware of what data you are actually giving them.
Apple sure is doing some good stuff with their authentication solution and their efforts to help people with healthier passwords habits. I'm still not too fond of having such fundamental infrastructure owned by a private company. Would you be comfortable handing over DNS to Apple?
Apple is a commercial corporation, and one of the biggest (by market cap) companies in the world. That gives me confidence that they'll be around for a long time, have sufficient resources to invest in security and reliability, and they have a well-established reputation for a focus on security. They do other things I don't like[1], but I think this is one area where they're setting really good precedent.
In addition, it's going to be difficult getting any sites (outside of maybe the crypto/grey-market) to adopt an auth system that doesn't let them contact their users. This is also I think a big failing of IndieAuth.
[1]:https://sneak.berlin/20201112/your-computer-isnt-yours/