Thanks @christiaangoossens for writing this up.
As a developer myself, I understand the direction @frenck is pointing to, and the maintenance work necessary. Back in 2020 when the first PR arose OIDC and 2FA didn’t have a lot of traction, although it was starting to. Also from that point of view, I understand their past decision.
However, I want to also draw attention to being able to use 2FA with such solution. In the past years it got a lot of attention, and people understand the need for it; not only in enterprises, or in tech communities. I also see a lot of awareness and attention going towards security breaches, and people getting worried about changing passwords, and whether their important data is secure.
So starting with that, and considering one hooks up his/her entire home automation in HA, I would even argue not having 2FA can be seen as too insecure for the year we are in.
On top of that, people started using password managers more frequently due to having so many logins, and users want to have a simple way to login. Many use Facebook, Twitter, or whatever there is to federate their login, and not having to remember logins anymore.
Considering these, I totally agree with @christiaangoossens that having OIDC/2FA/SSO should be re-evaluated, and considered to be integrated, and I believe it would not only benefit a small amount of users.
As mentioned, I understand the pushback for having to maintain such an auth flow heading forward I think it would provide tremendous value to increase security and ease the use of HA on that side. However, some suggested being able to hook in authentication plugins, and although I’d love to have native OIDC authentication being implemented, it would also be very interesting to hear from @frenck and other maintainers what their thoughts around such plugins are.
In the end, if a user chooses to install such plugin, they do it consciously considering the benefits, but also disadvantages, and possible attack vectors etc. Looking at it this way, I think the user’s expectation is not relying on HA but rather the user decides to be OK with whatever expectation the plugin provides.
And if a plugin exists that would potentially break e.g. Android/iOS authentication, well. The user decides to use it and being OK with it - it’s their conscious decision.