Google opens up OAuth to tackle password chores Google has opened up a technology designed to cut back on the number of passwords users need to access multiple websites to web developers, effectively moving the technology into the mainstream after a restricted beta lasting almost a year. Plaxo, Facebook and Yahoo! signed up to support so-called "hybrid onboarding" …
From the linked google page:
"The website can also mark the email address as verified without having to send a traditional "email verification" link to the user."
In other words, accounts already compromised are given extra freedom with minimal effort from their script kiddie owners.
So we're now encouraged to have one set of credentials for the whole internet, what fun.
That means that if it's compromised my whole internet life is over. Just go to my OAuth host site, check out my "authorised" sites, then pretend to be me across the whole internet with ease... Then you can sign up for new services for me as well (an not even worry about being slowed down by having to authorise my email address)... then you can use my PayPal (OAuth as well of course...) and spend my money....
Just wait until SuperBankUK gets onboard... then you can get my salary before me... Whoo!
I can't wait!
This is like DejaVu all over again - Microsoft created Wallet/Passport/Live ID for much the same purpose. It's widely used by Microsoft sites, but hasn'treally taken off with other sites, probably because other sites don't really trust Microsoft with shared personal data like this.
This system may improve usability (less form filling/less emails to confirm email addresses/less passwords/usernames to remember but I cannot see how it will address the security concerns outlined in the article. Indeed, it could even make them worse.
The problem is, at the article noted, passwords. This system doesn't remove the need for a password.
If it is possible to work out someone's weak password, then use the same for other accounts, then this system is even worse.
Not only does it guarantee the user name will always be the same as well as the password (currently, usernames can vary from site to site) it also gives you the chance of trying multiple accounts. One of the screen shots in the 'hybrid onboarding' link shows and example site where you have the choice of using the site's native account, or an OpenID or a YahooID or a Google ID or a ClickPass ID. That's up to 5 chances to get the username/password correct, not just one.
Back to the drawing board, Google! Even Paris would see these flaws!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
