Twitter is More Secure than My Credit Card

Twitter now lets developers build applications that take actions on your behalf without you ever having to divulge your password. Instead of asking you for your password, these applications ask Twitter to ask you for permission, and you give permission to the application while logged in to Twitter. What's even better is that you can revoke the application's permissions, from within Twitter, at any time, without having to change your password. The OAuth protocol makes this possible, and does so in a very secure manner.

Compare this to on-line transactions involving your credit card; you have to divulge your user-name (the name on your credit card) and your password (your credit card number) for every transaction. Some sites even store your card details, and you rely on trust, and the vendors good standing with the credit card company, that they will not make further transactions using your card. What happens should you find your card being abused? You have to go through the hassle of cancelling your card and obtaining a new card number, which you then have to divulge to all the companies that make regular charges to your card, instantly creating the opportunity for further abuse. To make matters worse, the credit card companies even give us these cards with our passwords on them (the card number), violating the "never write down your password (or PIN)" rule.

OAuth is an open protocol developed by some of the major web companies. The protocol is gaining traction rapidly, and the OAuth site lists some of the OAuth service providers (that is the sites that allow OAuth authorisation). Part of the reason for the rapid adoption is that is not really new technology. As mentioned in the OAuth design goals, the protocol is essentially a standardisation of the proprietary protocols used by Google’s AuthSub, AOL’s OpenAuth, Yahoo’s BBAuth and FlickrAuth and Facebook’s FacebookAuth.

Eran Hammer-Lahav provides a getting started with OAuth guide, Google provide a good overview of uses for OAuth, and the OAuth wiki provides links to all the details.

Discuss this post here.

Published: 2009-04-02