The thing is authentication isn't even hard: you have a central authority users register with, that authority that publishes public keys for anyone to look at, and *one way or another* users manage the private keys attached to them. Nobody needs to give a damn how the private keys work as long as it's convenient and secure. Then users just sign messages to prove their origin and anyone receiving the message can verify it.

Instead we have OAuth, which nobody can even explain sensibly.