I use MacOS's keychain as well, and an encrypted text file as a backup. Keychain IS single-sign-on. It could technically work the same way with a 3rd party administrating, if you could trust them enough. For many people (myself included), this trust issue means that MS was the absolute least qualified company imaginable (with the possible exception of SCO) to launch something like that. Most people trust their own machines more than any companies, thus it works better that way.