There are no magic solutions. If you give your username and password to the Consumer, yes, they do all this for you but can also do anything they want and the only way to stop them is by changing your password (assuming they didn’t beat you to it and hijacked your account). If you don’t, you need a way to give them something you approved.

There are ways to make this better for the user experience but usually at a price of security.

That said, I think that this problem goes away over time as connectivity improves and I also think that the initial time-cost of authenticating in series of steps becomes both regular, easier as interfaces improve, and better yet as we move away from username/password combos being replaced by biometrics or other types of verification.

Additionally, the idea is that as browsers get better at things like OpenID and so on, this whole dance will become a lot easier, just as on the desktop you can limit which apps are allowed to do different things.

All these technologies have a long way to go and it’s important to point out issues like this. At the same time, I don’t think that we should accept that spreading username and passwords all over the place is a good solution either, so until we have something better, this is the best we’ve got for the moment.