If you’ve been creating sites for a while, you know that domain names started become difficult to find years and years ago. I remember brainstorming with a full team of 8 for hours before finally finding a domain name (barely) suitable for our business 10 years ago. Of course, new TLDs have since helped with this a bit, but it’s still an issue since everyone wants a .com. Of course, now you want not only the domain to be available, but also the Twitter and Facebook name and let’s face it, it would be best for the name to fit on an iPhone/Android home screen.
But that’s just the beginning.
With everyone and their mother now online, a new fight has begun : the fight for your digital identity. Businesses are now fighting to be the one representing you online. A year ago, when Facebook opened up custom URLs for profiles, their goal was obvious. What they wanted, and what every businesses like Facebook wants is to be your identity. If you have www.facebook.com/yourname, it might just that this is the URL you’ll give to people instead of your own domain name (if you even own one). This is huge for these sites.
Twitter has done the same since the beginning and there too registering your name is important. Google is now trying to do the same with Google Profile. Once you have such an identity, you can then increasingly use them to login on other sites with things like Twitter’s @anywhere, Facebook Connect and Google Friend Connect. In a way, these services are achieving what OpenID was supposed to do years ago. OpenID’s problem though, was that the name isn’t known at all. What’s an OpenID? Sure you can use your Gmail account as an OpenID, but who knows this? Because of this, it never caught on.
New social networking services come and go, but if you’re not registering your name on each of them, you’re potentially making a mistake. We live in a world where your online identity is vital. Who wants to be John4576? Register on each of them as early as possible. Some will die quickly, some will never become important, but when one of them becomes the next Twitter or the next Facebook, you’ll be good to go.
Oh, and if you’re having kids, I’m honestly sorry for you. If your parents thought finding a name was difficult before, you have quite the task ahead of you. If you name your son John Smith, wish him luck in the future. He’s going to need it. Googling that name won’t be easy.
I was at diner tonight with a friend and the subject of XBox Live came up. We were wondering if a 3rd friend was online. We both have iPhone and 2 minutes later, I had bought an app to check my Live status. 1 minute later the app was on my dashboard and I was 2$ poorer. I click the icon and I’m presented with a login screen asking for my username and password to XBox Live.
That was my last interaction with the app.
The problem here is not with the developer himself. That’s just the only way he can get access to the data I’m interested in. The subject came back in my mind tonight after seeing the massive number of hacked Twitter accounts as reported by Mashable and many others. We still don’t know for sure how the hackers got access to these accounts, but it looks like at least some might have been due to phising or weak passwords. Regardless of the reason, these two situations really give us a great example of why OAuth is important and why every single service out there need to implement it or at least, implement something similar. For users, giving your username & password to a 3rd party should throw a big red flag and as a service provider, we shouldn’t be asking users to give that away. We should provide them with tools (like OAuth) to allow them to use tools like my XBox Live app without giving the key to the kingdom.
So what’s OAuth you say? I’m just going to quote the official site and say it’s “An open protocol to allow secure API authorization in a simple and standard method from desktop and web applications”.
In a nutshell, it’s a way to give 3rd party applications (web or otherwise) access to your account without giving them your password. What you do is authorize the app once on the service itself (Twitter for example) and from then on, access for this app is only allowed if said app sends the right secret string. The developers of that app cannot access your account in any other ways, they can’t resell your login info and you can cut off the access at any point by editing your account. It’s been working fairly well for Twitter and many others so far.
Libraries are already available for many popular programming languages including C, .NET, PHP, Ruby and more. Once again though, the important thing here is not OAuth itself. That’s just one implementation of a good idea. For a service as big as XBox Live not to have an API accessible through an OAuth-like access is really sad.
Hopefully the end of password-only login is coming to an end.
