Today I attempted to document all the domains where my Disney account is used so that my browser would autofill the correct credentials when I visit a Disney-owned site. After going down the rabbit hole, I ended up with a total of 31 second-level domains[0]:<p>6abc.com, abc.com, abc11.com, abc30.com, abc7.com, abc7chicago.com, club33.com, d23.com, disney.com, disneyaccount.com, disneyaulani.com, disneygiftcard.com, disneyinstitute.com, disneymovieinsiders.com, disneyonice.com, disneyplus.com, disneyrewards.com, disneyweddings.com, espn.com, footytips.com.au, freeform.com, fxnetworks.com, go.com, hulu.com, marvel.com, nationalgeographic.com, rundisney.com, shopdisney.com, starwars.com, thewaltdisneycompany.com, tokyodisneyresort.jp<p>It's likely an undercount, and doesn't include the untold subdomains. (go.com alone has thousands of subdomains in CT logs.)<p>Wouldn't Disney be better served by using something like OIDC on a single domain? I see several downsides to their current approach. First, it's confusing to users when their saved credentials don't autofill because they created the account on a different site. Second, Disney can't use newer, more secure authentication like passkeys/WebAuthn because those are tied to a single domain. Finally, having the same credentials work on a bunch of seemingly-unconnected sites is a phisher's dream. If Disney's user base is accustomed to entering their credentials all around the web, why would they hesitate to enter it on a fake ABC affiliate site?<p>[0] https://my.disneyaccount.com lists most of the sites