I like the idea of Tailscale, because it gets us a little closer to the network where all devices are connected instead of 99% of them being behind NAT.
But I don't want to use them when they don't support email based logins. I did read their explanation[0], but I am not sure how it actually makes sense - if they don't want to have passwords, why not a client cert?
You can imagine them getting to some fussy custom authentication scheme like client certificates at some point, but IdP-based SSO logins --- usually email-backed --- are a practically-universal security best practice for corporate security now. The goal is to make it easy to enroll and offboard people and make it difficult to miss a step in offboarding and thus leave people with undesired access, and to have a single source of authentication truth that can be regularly audited.
I wouldn't trust an IdP-based SSO login for any critical service that I need continuous access to, unless I control the IdP.
All those stories like "Google blocked my account without recourse and don't answer tickets anyway" have put me off. I lost editing rights to a Google My Business profile that I was the sole owner of, because they gave third party input precedence over the owner's own entered data (opening times of all things) then locked the ability to update it, so I know loss of control over one's own account isn't that rare with Google.
It's not just Google. So I trust my domain provider more than I trust any third party SSO, because I believe I have legal ownership of domains in case all else fails. I don't seem to have equivalent rights over SSO accounts at any third party. So, for now until something better is available, email-based accounts are a must-have for any critical service.
You do you, but that first sentence puts you wildly out of step with most security practices at most companies, very much including most tech companies.
The most recent medium-size tech company I worked at is very security aware in a modern way, and uses Google IdP for employee access.
But they don't trust Google, and have been looking for a way to migrate everything away (IdP, docs and email) for some time.
Everything you said about the benefits of IdP, SSO and enrolling/offboarding employees is spot on.
The only problem is that some third party IdPs aren't as low-risk as they seem, if you're a small entity who cannot get corporate support in case of a problem. The risk is small but not enough, and the consequences for a small entity are severe. Loss of access to docs, email and your other service provider logins can kill a business.
For larger tech companies the support hotline will answer, so it's not a problem and it makes sense to outsource. It would still be better if the company had legal rights to their own credentials on IdP as a backup, though, similar to the way they have legal rights over their domains.
But I don't want to use them when they don't support email based logins. I did read their explanation[0], but I am not sure how it actually makes sense - if they don't want to have passwords, why not a client cert?
[0]: https://tailscale.com/kb/1013/sso-providers/