As an example: shortly after Russia invaded Ukraine, Namecheap cancelled all accounts of all of its customers who were located in Russia. This was done regardless of what content if any was hosted by the account, whether or not the person in question supported the war, or whether the person in question was actively fleeing Russia and may have been relying on technical infrastructure they had previously set up to help them do so.

Just because a service you sign up for is not contentful, does not mean that they won't choose to boot you off for some reason completely unrelated to anything you control or anything you chose to do.

This is a strange example to pick given that (1) it's a war, and (2) a significant percentage (majority?) of Namecheap's employees and offices are in Ukraine.

If we (the US) decided to invade Canada tomorrow, you can be certain that the maple syrup would stop flowing.

Edit: According to their website[1], the overwhelming majority of their employees are in Ukraine. Two of the three cities they have offices in are on the current combat front.

[1]: https://www.namecheap.com/careers/ukraine

I don't think parent is saying it's unexpected, but rather that having a third-party identity provider (especially a corporation) is an unwarrented and/or unwanted political dependency. I deeply empathize with this sentiment but also recognize why many companies choose to rely on them (identity is very difficult).

Okta and OneLogin are both private corporations that have each existed for 13 years. Does your threat model include an estimate for how long they will stay in business? What if one of them puts the other out of business? Does your threat model choose a winner in that fight?

As far as paid services the possibility also is there that someday _you_ run out of money and have to stop paying them. They tend to shut down your access when that happens. Another financial threat you have to model.

These things don't happen when you use public key authentication.

For enterprise, sure, using a separate IDM provider works, but last I checked, neither Okta nor OneLogin cater to individuals and their personal accounts. So as far as threat models go, I understand why people view this requirement from Tailscale as utter garbage for personal accounts.