Is OAuth Doomed?

Jun
5
2008

More Fish

I have been watching OAuth and OpenID develop over time, wishing and hoping they would both take root and bloom into something wonderful. Now I think the concepts and ideas behind these two, especially OAuth is a wonderful Idea. What is OAuth (to refresh your memory):

OAuth gives users access to their data while protecting their account credentials via the use of an open protocol of a secure authenticating API.

But then we come to reality. Although a good number of you are not going to agree with me it has to be stated. There is a steady ground swell of apathy that is leading to a number of major problems with web interconnectivity.

Everywhere you turn there is another faceless social networking application vying for our attention. Tempting you to sign up and find or send invites to all your friends. You know the drill all you have to do is just provide your Gmail, Hotmial, MSM, Facebook, Twitter, Yahoo, Flickr ( Ed – correction Flickr is not promoting bad practices anymore ) or Pownce account details. Now surely we can trust these unknown developers and their faceless entrepreneurs. Surely they wouldn’t do the dirty on us. After all they have a nice new social networking application that we can play with.

Yeah, right!

Now if you really do trust, them I hope you are changing the said passwords to the comprised services on a regular basis as you are just opening yourself up for a phishing attack.

It gets worse. Problem is that these bright new shine SNS are in fact getting people to refind or invite their friends on a regular basis via this method. Time and time again.

Sure we as experts in this field can tell people till we are blue in the face, not to do it. But at the end the day they are just going to continue. Why well:

  • Mainly because it is easy.
  • The lure of belonging, of joining the social gorup is strong, it’s in our nature to be social, to rebuild the online tribe around us.
  • Nothing has gone wrong, and the more they do it and the more it is successful, with a positive outcome, the more the user experience in this matter is enforced. Soon it becomes a common practice.

I would say that in fact that we have reached that user experience tipping point. Not one of the more recent SNS has implemented OpenID or more seriously required OAuth, which stops this re-enforced phishing learned behaviour.

So what is the problem. Well it’s really a simple issue, hard to solve. OAuth is great Idea, but to get traction it needs the big end of the web to embrace it. It needs the Facebook, Microsoft, Google, Yahoo etc to allow the secure API authentication of OAuth to work within their systems.

Without these players the new SNS can’t tap into your knowledge base of contacts without your passwords. So if there is a lack of an API, developers will use the next best thing. Which is what we are seeing today.

Sure OAuth is being implemented for smaller projects, but these are just minor case studies at best. The development industry is littered with great concepts that failed to gain critical mass that have been discarded by the wayside. Will OAuth be one of them? I hope not!

What can we do:

  • Stop using these quick import contact list tools / wizards.
  • Tell the SNS that it’s the wrong way to do it.
  • Complain, bitch , suggest, make a noise so the big end of the web hears us.
  • Developers, don’t do it, think of the moral implications.

Tags: , , , , , ,

Looks like there is no conversation here yet, why not start one.