It must be using oAuth. I think it was a mistake in the oAuth protocol to not build in a default, short, expiration for secret keys. Now users (most of them non-tech savvy) have to rely on visiting the apps page and manually removing authorizations.
Edit: I just profiled the process, and it is using OpenID. It pops open a new window that will check your OpenID login and call back with a success and will close the window if it is. I had to slow down my connection to actually see it.
Edit: I just profiled the process, and it is using OpenID. It pops open a new window that will check your OpenID login and call back with a success and will close the window if it is. I had to slow down my connection to actually see it.