"Sure, we're centralizing risk here to, say, Google, or Facebook -- but I trust Google a heck of a lot more than I trust J. Random Website, and this really is no different in practice than having password recovery emails sent to your GMail account." That's the heart of it. Trouble is, while I might trust Google's ethics or tech savvy more than J. Random's, I can never trust them fully. They aren't invincible, and centralizing the risk is not worth it (and you are not simply centralizing your own risk you are advocating centralizing everyone's centralized risk). If I don't know how to keep my sensitive identities completely separate (including separate email accounts) from my more trivial, throw-away identities then educate me. Don't force me to centralize my risk. I loath the day where I have to use my Google account or iDriver's License to log into other web sites. I would much rather have the freedom to set up a separate account with each entity.