OAuth Sounds Geeky, but Protecting Passwords Is Worth It
Today at 8 am PT, Twitter will turn on OAuth for user authentication, which would seem like something only nerds should care about.
In fact, everyone should.
With third-party apps no longer given access to Twitter passwords, in this highly unprotected digital world, the consumer is a little bit more protected.
I myself cringe every time an app asks for basic authorization–my password for Twitter–so I can use whatever it is offering.
Since so much of the Web has become social, connecting services to each other tightly–so that they all work together–is a must.
What it also does is create untold security issues.
But OAuth–which is used by an increasing number of big sites–mitigates some of that, allowing you to sign in to Twitter itself and then let the service authenticate.
Here at All Things Digital, we are also updating our mobile app to use OAuth, since it will render the old way obsolete.
And it couldn’t come soon enough.
Here is the Twitter blog post on the changeover:
Twitter Applications and OAuth
Monday, August 30, 2010
If you are like most Twitter users, you have used use a third-party Twitter application to read or send Tweets. As of August 31, Twitter applications will all use OAuth, an authentication method that lets you use apps without them storing your password.
What does this mean for me?
The move to OAuth will mean increased security and a better experience. Applications won’t store your username and password, and if you change your password, applications will continue to work.
With OAuth, you still individually approve each application before using it, and you can revoke access at any time. To see which applications you have authorized or to revoke access, just go to the Connections section under Settings.
One thing to note–to continue to use your favorite applications, you should make sure you are running the latest version of the app. Otherwise, you may soon find that it doesn’t work anymore.
Tell me more about OAuth
In order for Twitter applications to access your account, developers have been able to choose one of two authentication methods: Basic Authentication or OAuth. Both require your permission, but there is an important difference. With Basic Auth, you provide your username and password for the app to access Twitter, and the application has to store and send this information over the Internet each time you use the app. With OAuth, this isn’t the case. Instead, you approve an application to access Twitter, and the application doesn’t store your password.
Fortunately, developers have known about our transition to OAuth since last December, so they’ve had time to update their apps. And many apps, including Echofon, TweetDeck, Twitterrific, Seesmic, and Twitter for Android, iPhone, and BlackBerry, are already using OAuth. We appreciate the work and time that developers have invested in this update in order to keep you safe.
[Image credit goes to hueniverse.com, a most excellent blog about all things OAuth and web standards.]