Don’t Give That Password! (Or Why We Need OAuth)
I was at diner tonight with a friend and the subject of XBox Live came up. We were wondering if a 3rd friend was online. We both have iPhone and 2 minutes later, I had bought an app to check my Live status. 1 minute later the app was on my dashboard and I was 2$ poorer. I click the icon and I’m presented with a login screen asking for my username and password to XBox Live.
That was my last interaction with the app.
The problem here is not with the developer himself. That’s just the only way he can get access to the data I’m interested in. The subject came back in my mind tonight after seeing the massive number of hacked Twitter accounts as reported by Mashable and many others. We still don’t know for sure how the hackers got access to these accounts, but it looks like at least some might have been due to phising or weak passwords. Regardless of the reason, these two situations really give us a great example of why OAuth is important and why every single service out there need to implement it or at least, implement something similar. For users, giving your username & password to a 3rd party should throw a big red flag and as a service provider, we shouldn’t be asking users to give that away. We should provide them with tools (like OAuth) to allow them to use tools like my XBox Live app without giving the key to the kingdom.
So what’s OAuth you say? I’m just going to quote the official site and say it’s “An open protocol to allow secure API authorization in a simple and standard method from desktop and web applications”.
In a nutshell, it’s a way to give 3rd party applications (web or otherwise) access to your account without giving them your password. What you do is authorize the app once on the service itself (Twitter for example) and from then on, access for this app is only allowed if said app sends the right secret string. The developers of that app cannot access your account in any other ways, they can’t resell your login info and you can cut off the access at any point by editing your account. It’s been working fairly well for Twitter and many others so far.
Libraries are already available for many popular programming languages including C, .NET, PHP, Ruby and more. Once again though, the important thing here is not OAuth itself. That’s just one implementation of a good idea. For a service as big as XBox Live not to have an API accessible through an OAuth-like access is really sad.
Hopefully the end of password-only login is coming to an end.