https://medium.com/@justinjsmith/hatin-on-microservice-passwords-4f8f0c0143ec#.rmxrg2h9l
Justin's argument is summarized thus "It’s true that a client must still authenticate with the security service, but the security service provides a central place to focus on and to harden. As I mentioned previously, it’s less about how the client authenticates, and more about where the client authenticates". Do you think this argument holds up? It sounds a bit like throwing up our hands and saying that instead of trying to solve the problem we'll just shift responsibility for failure.