OAuth and OAuth WRAP: defeating the password anti-pattern
Source: arsTechnica - Posted by Alex   
Host Security The developers behind the OAuth protocol have developed a new variant called OAuth WRAP that is simpler and easier to implement. It's a stop-gap solution that will enable broader OAuth adoption while OAuth 2.0, the next generation of the specification, is devised by a working group that is collaborating through the Internet Engineering Task Force (IETF).

Understanding the password anti-pattern

Many popular Web applications allow third-party software to access their underlying services through open APIs. This enables the development of Web mashups and mobile and desktop client applications. Although these open APIs bring a lot of value to the Web and make it possible for various services to interoperate in important ways, it can be difficult to make this functionality available in a manner that safeguards the security of end users.

The APIs often require authentication for sensitive or user-specific features. For example, in order for a desktop application to be able to access a user's account on a hypothetical Web service, the user must first supply the application with their login credentials. The application can only access the user's account if it transmits the user's credentials to the server.

Although this form of simple login-based authentication is very easy to implement, it creates a tremendous number of problems. One of the biggest issues is that there is no easy easy way for the user to revoke access permissions from an individual application. It can be especially difficult to remove your credentials from third-party Web applications, which you can't just uninstall.

Read this full article at arsTechnica

Only registered users can write comments.
Please login or register.

Powered by AkoComment!