Shawn: you clearly need to have auth/security *somewhere* for many applications, but this is no different for browser-based apps than for internet-using thick clients. A browser-based XMPP or IMAP client, or game, or whatever, can use the same auth that any desktop app would use for the same purposes. Especially once browsers have persistent storage, we will see more and more apps written mostly in the browser, using off-the-shelf server components.