12 replies »

  1. I agree with your points, thanks for the good post.

    I think the strength of OAuth/Social Login is that there are many users who just won’t bother to sign up for a service at all if they have to go through the process of setting up yet another separate username and password. If you are running some kind of social service, tying yourself into the Google or Facebook or Twitter OAuth infrastructure leaves you at the mercy of those companies in many respects, but it probably increases the chance that users in those spheres will give it a try by an order of magnitude.

    • Yes, definitely the acquisition of users is easier with social login. For most startups this argument usually trumps all issues of security (no point in securing users of a business that fails). But they certainly should pay attention to the ownership issue (who’s users are they) when building a sustainable business.

  2. A very thoughtful post. A two factor is probably the most secure means of user identification, regardless of OAuth or a security tended to by a development team. The simple fact is that unless you have very stringent controls around password generation, it is hard to prevent a user from using the same password over and over again. A user may even create “Irea11yL0veF@ceb00k!” as a strong password, yet unscrupulously use this everywhere and and expose themselves and the systems they use.

    Two factor with a mobile component can alleviate some issues, but even Apple has announced that there is a critical security patch that fixes a grievous SSL error that exposes users to a man in the middle attack. This is quite staggering – the very foundational platforms that we use are full of holes.

    Again, great insight with your post.

  3. Very interesting! Is OpenID in any way more secure then OAuth? Does it reveal less information about users to the identity provider?

    • I believe the key difference with OpenID and OAuth is that OpenID focuses on identification only. That admittedly can be used as a form of authorization, though it probably shouldn’t.

      If used as full authorization then it likely suffers from the same issues listed here. If authorization is still an additional step (like extra password) then you at least counter the unauthorized access.

      You however don’t prevent the ID company from locking you out of an app. Perhaps the dynamics change however. The OpenID provider doesn’t know about apps, only about ID. So it can block an individual, but not an application.

      I’m unsure about the privacy and what information is leaked while using the OpenID protocol.

  4. Well, I disagree with a general statement that OAuth bad.

    1. Security. People tend to reuse their passwords when siging up for different services. The more third-party sites know your passwords, the more likely that one of them will eventually be hacked and leak your passwords. Limiting the “circle of trust” helps lowering that risk.

    Analogously, do you prefer sharing your credit card information with a random site to complete a purchase, or would you rather go through PayPal?

    2. Security (#2). Any site, not only your bank or a brokerage account, could benefit from out of band authentication. However, vast majority of sites don’t go beoynd the basic login/passord, mainly because the costs of implementing and keeping up such security measures are significant. However, if your OAuth provider supports such perks (and they do!), you automatically benefit from their efforts of keeping your credentials protected.

    3. Privacy. Nothing prevents you from creating a “proxy” account at a “gmail”, entering bogus personal data and then using that account for all your non-essential logins.

    4. Speed and conveninece. If you wanted to check out a website which asked for a login, would you rather fill out a lengthy form or just hand them your authentic or a “proxy account” OAuth token?

    While OAuth isn’t bullet-proof, it has brought us all tremendous value. The Internet is constantly offering ever more attractive services to try out. OAuth is a vehicle to move around quickly and with decent balance of privacy and security.

    • 1. Yes, people do reuse passwords. However, a big security issue is that Facebook/Twitter provide a listing of the services used by an account, such that a breach gains simple and easy access to all of these services. Additionally, these social accounts tend to remain logged in, even on public computers. The choice of OAuth provider here is the problem.

      2. Out of band is obviously good, but hurts the convenience of 4.

      3. Actually the big providers are trying to limit this ability. The requirement for a mobile number to sign up, or gain access to some services, is making it difficult to create alternate personalities. It is even forbidden by the terms of service of some providers.

      4. Personally I’m okay with email and password. Too many sites make this hard by requiring confirmation. This step should be removed. Most sites simply don’t need verification and should just accept my email/password information. I’d also be happy with using OAuth for identification only and providing my own password.

      A large part of my complaint of OAuth isn’t against the system itself, but rather the primary providers: social websites. These are absolutely the wrong entities to be providing this type of service. Many of the issues could be overcome with a well designed provider who focuses on security. It should then be this provider which even Twitter and Facebook use to login. The dynamic now is totally wrong and that leads to a lot of the issues.

  5. Terriffic article, most comprehensive I found, after >1 hour searching. Thanks. One question–couldn’t the token be made app-specific? E.g., if I use OAuth for Facebook to log in to sleaze.com, that token only works for sleaze.com.

    (In case any interest, here is my own post on the topic–really doesn’t say anything different than here, just much more simplified: http://bit.ly/1fOhtGz.)

    • The tokens are app specific: each authorized app via Facebook will get its own token. The issue of security is that somebody with access to the Facebook account can still easily get access to all of those applications by simply getting a new token.

  6. As a user trying to improve his password management I’m trying to understand the risks of OAuth,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s