I am slowly accepting that OAuth2 is quite amazing, but I'm still worried about the fact that an IdP could theoretically impersonate me as discussed in Can an identity provider impersonate me? (Can Facebook post Stack Overflow questions under my name?).
Would having two separate OAuth identity providers be sufficient to prevent this theoretical impersonation issue? Like, having two different IdPs with two different passwords (or with the same password but both requiring a second factor), and when logging into a service I need to get an access token from both IdPs?
