Over the past couple of years, a small but dedicated group of developers have been pushing a new technique for authenticating users called OAuth. While it has some benefits, it’s limitations are crippling.
The goal of OAuth is to create a more secure authentication system by limiting who has access to your username and password. By authenticating with a system external to your application, the idea is that your data is more secure. Unfortunately, OAuth was clearly developed without much regard real-world problems. Here are a few reasons why OAuth is destined to fail:
- Horrible User Experience - In a world where doing something as simple as changing a font or button color can create noticable changes in user behavior, asking a user to jump over the hurdles required by OAuth is just unrealistic. For web apps, it adds multiple steps to the authentication process and the experience is even worse for desktop apps. The experience also closely resembles the phising sites that we desperately warn our non-tech friends to watch out for. Also, keep in mind that the applications that poeple consider most secure (online banking, tax software, email, etc) NEVER redirect the user to a different site to enter login info.
- No Consideration for Desktop Applications - While web-based apps are growing in popularity, desktop apps still dominate in most industries. The OAuth experience is completely focused on web applications. Whether it’s an app on your home PC or an app on your iPhone, the OAuth experience sucks.
- OAuth is far from perfect - An ambitious hacker can get information via OAuth without much more effort than other athentication methods. There’s nothing to stop an application from collecting additional data in the background withour your knowledge after you’ve logged in. There’s also nothing to prevent an attack against or data breach with the OAuth provider.
- It takes power from vendors, but not from hackers - The main goal of OAuth is to prevent nefarious people from having your precious login credentials. However, most OAuth providers still transmit your credentials over an insecure connection. So, rather than having my app send you credentials via Basic Auth, the browser sends it via an HTTP post. In the end, the chances of a request being intercepted from a browser or an app are about the same.
While I completely understand the concept behind OAuth, it’s just never going to catch on. There is no such thing as a 100% secure system and there a plenty of approaches that are just as secure as OAuth. In the end, OAuth doesn’t solve any real security problems and shifts a lot of work onto developers. I don’t mind putting in the extra work, but OAuth is replacing a few lines of code with 1MB of dlls and a bunch of UX headaches for an illusion of security.




Recent Comments