When ObiTALK is unavailable (as simple as a routing snafu where Google is accessible but they aren't, or in particular, if Obihai were to go out of business) and I want to change my ATA, what then? Why are Obihai's servers necessary to fetch my token? Why can't the OBi110 fetch it itself? Is Obihai merely passing that token through, or are they storing somewhere?
I'm not questioning the authentication strength of OAuth versus whatever was being used before, I'm questioning why it needs to go through a third party, and all the security implications THAT has. If you trust Obihai to do everything fine every time, that's great. I'm sure that's what the Target, Home Depot, Anthem, etc. folks thought too. Obihai seems to be one link in the chain which shouldn't need to be there.
I would even be semi-happy if Google Voice could be set up, then be able to change the admin password on my device and delete it from ObiTALK. But if you do that, it deconfigures your GV ("Service not configured"), and resets your admin password to the default of "admin". If you don't delete it from ObiTALK, it resets your password to what it thinks it should be and reboots your OBi. That in itself is quite troubling, because that implies they're STORING MY DEVICE'S ADMIN PASSWORD IN PLAINTEXT. Ask ANYONE who programs things which are supposed to be secure, such as password handling routines, and they will explain that NO password should even show up on the page after provisioning, yet it appears on the ObiTALK page after I click on the device name in my dashboard! It's not even obscured by asterisks or anything, so anyone happening to see my monitor can now screw with my OBi110. "Expert config" sucks because it reboots the box after EVERY change; you can't batch up a few (pages of changes) and THEN reboot. I don't want my firmware being updated potentially every day, but once again, if you vary from the Obihai Rx, you're slammed down, your changes are reverted, and your box gets bounced. Even if you change that in "Expert mode" on the Web site, logging directly into the device begs to differ, it says it will still probe every 86400 seconds. ( I don't know what was happening when I looked, but now Disabled/Disabled seems to have been pushed to my device)