One stunnel-like server is already employing this technique. It remains to be seen when Apache, OpenSSH, and other important server software will follow.
Again, you miss the point. The point isn't separate accounts. The point is, you have a user account, say "JoeCool", and a password, say "12345". Your system allows Joe, when logged in under that password, to create a secondary password, 67890 which, when logged in with, only allows limited access. Joe can then give "67890" as a password a third-party application, which will then have only limited access. If the application misbehaves, Joe can remove the "67890" password, thus locking out the malicious application while keeping his primary password secure, along with any other secondary passwords he's generated for other applications. That's the system being described and that's a system which would avoid a heck of a lot of headache.
And I'd appreciate not being called names by someone who hasn't even taken the time to understand what's being said.
as the work was winding down, I’ve found myself reflecting more and more on what we actually accomplished. At the end, I reached the conclusion that OAuth 2.0 is a bad protocol.
To me, at least, this says he realized that they accomplished nothing, and had finally reached the point where he could no longer continue accomplishing nothing and call it progress.
Put not your trust in money, but put your money in trust.