Recent events have pulled Twitter’s authentication methods even further into the limelight. People are becoming increasingly concerned about the safety of their profile and everything associated with it. What’s Twitter going to do about it, and when?
Twitter is working on a beta release of OAuth
Engineer/API Lead Alex Payne commented on the Twitter Development Talk group that the User Experience team is putting the finishing touches on a beta release of an OAuth implementation. This comment was made in November and mentioned a release toward the end of December. Since then, Payne has also said they (Twitter) will be experimenting with it after the first of the year.
The next full release of the API will be by OAuth authentication only
That only makes logical sense, right? After all, you have to eliminate all the weakest links to make a stronger chain. Also, using OAuth will decouple API rights from the general access rights used on the web. In turn, you’ll see more granularity of access control using OAuth, which is something BasicAuth sucks at.
Unintended Consequences of Better Security
For starters, OAuth is much more difficult for third-party developers to implement than BasicAuth is. It’s a new set of tools and technologies that most people aren’t really that familiar with. OAuth also entails bouncing around to the browser while authenticating, much like OpenID does. Once you allow your app once, you should be able to have it remember that and be fine on subsequent authentication attempts. However, it’s going to confuse a ton of people the first time. OAuth is not a security silver bullet, but is a step in the right direction. ( Payne’s words on OAuth )
Our Plea
Twitter: please don’t give up on this. We can’t stand to see it go the way of Track or IM. We desperately need to feel safe when using our credentials as recent events have given you a bit of a black eye. OAuth, OpenID, we don’t care – just make us feel warm and fuzzy inside.
How is oAuth more secure than the current authorization system? Also - what's the benefit of oAuth over OpenID? Seems OpenId has been more widely adopted...
Reply · PermalinkAndy
I agree that OpenID is more widely known than OAuth is since big names like AOL, Flickr, MySpace, and Yahoo have adopted it. OAuth benefits over standard authentication (username/password combo) in the fact that it's a standardized, secure way to authenticate against an API. I think Mashable put it best when they said:
"OpenID solves the problem of having far too many usernames and passwords to remember. OAuth solves the problem of how to share information between sites without giving your password from one site to another."
The importance of OAuth is that it's standardized. There are no standards regarding safely storing or transmitting passwords - you could encrypt it, hash it, etc but there's nothing telling you what you must do. It's also really good at safely sharing information between sites and services, which is why it's an excellent fit for this scenario. There's a good example describing the process for both methods here. There's a complicated workflow for OAuth on how access is requested and granted here.
Reply · PermalinkThat clears it all up! That smells like a full on blog post :)
Reply · PermalinkYou might be interested in the podcast that Larry Halff (Ma.gnolia) and I did with Alex Payne on Twitter, security, phishing and OAuth the other day:
http://tr.im/cg_10
Reply · Permalink@Chris
Sounds great, I'll be sure to check it out. Thanks for sharing.
Reply · Permalink