Central authentication - good for users, bad for usability

As most of you know, I have a fun little project called Twitlonger that talks to Twitter, including the ability to post to users' accounts. Until recently, I had to ask for user passwords to enable posting, something I'm not keen on doing because it raises an expectation of trust that, to be frank, I haven't earned from most people (this goes for all the Twitter apps). Now, Twitter have enabled support for OAuth for granting applications API access to your account, without the need to give up your password. It's nice and simple, you click an authorise button, get sent to Twitter which allows you to allow or deny access and get returned to the initial site. All well and good, solves the password problem, gives users control. At the minute, I control access to Twitlonger by getting users to sign in with their Twitter username and password. This is validated against  Twitter and things like password changes etc are pretty much seamless. Users will automatically be logged out if their details have changed since they were last at the site and logging in with the new details automatically updates the details in Twitlonger. Overall, I'm pretty proud of the login experience for Twitlonger. Naturally, I now want to implement OAuth support, which means I have two choices - get the user to grantTwitlonger access every time the session expires (irritating) or store the keys necessary to authenticate with Twitter and give Twitlonger its own registration system. Not one for duplication of functionality, I was thinking about having OpenID support, so users don't need to create *another* username/password combination. Then I thought about the process for the user to be able to use Twitlonger (for the first time, anyway).
  1. Login with OpenID
  2. Get sent to external site to authenticate OpenID
  3. Return to Twitlonger
  4. Authorise with Twitter
  5. Get sent to Twitter to authenticate API access
  6. Return to Twitlonger
  7. Actually get on with the desired task.
OK, so this should only need to happen the first time the user comes to Twitlonger, but it also means their first experience of the service involves visiting three different sites just to start the task in hand. On one hand, they will be having a much more secure experience, but from the user-friendly standpoint it will be horrible. I don't plan to find out how many people would lose interest before the end of the process. I will be implementing OAuth because it will make me feel a lot better about everything, but I'm afraid OpenID as well would be a step too far.