Twitter and the Password Anti-Pattern

Twitter / Alex Payne: @factoryjoe Yes, OAuth is ...

I’ve written about the password anti-pattern before, and have, with regards to Twitter, advocated for the adoption of some form of delegated authentication solution for some while.

It’s not as if Twitter or lead developer Alex Payne aren’t aware of the need for such a solution (in fact, it’s not only been publicly recognized (and is Issue #2 in their API issue queue), but the solution will be available as part of a “beta” program shortly). The problem is that it’s taken so long for Twitter’s “password anti-pattern” problem to get the proper attention that it deserves (Twitter acknowledged that they were moving to OAuth last August) that unsuspecting Twitter users have now exposed themselves (i.e. Twitter credentials) to the kind of threat we knew was there all along.

This isn’t the first time either, and it probably won’t be the last, at least until Twitter changes the way third party services access user accounts.

Rather than focus on Twply (which others have done, and whose evidence still lingers), I thought I’d talk about why this is an important problem, what solutions are available, why Twitter hasn’t adopted them and then look at what should happen here.
Continue reading “Twitter and the Password Anti-Pattern”

The results of the OpenID Board election are in!

I'm kind of a big dealI received an SMS from Michael Richardson this morning (around 8am here in Hawaii) congratulating me on my election to the board of the OpenID Foundation. It seems fitting that I should receive first word from him, since, as the Karl Rove of my campaign, he came up with the “kind of a big deal” slogan from Anchorman.

Anyway, I’m thrilled about the outcome of the election and am looking forward to working with Snorri Giorgetti, Nat Sakimura, David Recordon, (each of whom received two year terms along with me) and Eric Sachs, Scott Kveton, and Brian Kissel (who received one year terms).

I’m also pleased that 80% of the 217 foundation members voted in the first-ever OpenID election. We’ve obviously got a lot of work ahead of us, but I’m very confident that we’ll make great strides in 2009.

OpenID usability is not an oxymoron

Julie Zhou of Facebook discusses usability findings from Facebook Connect.
Julie Zhou of Facebook discusses usability findings from Facebook Connect. Photo © John McCrea. All rights reserved.

See? We're working on this! Monday last week marked the first ever OpenID UX Summit at Yahoo! in Sunnyvale with over 40 in attendance. Representatives came from MySpace, Facebook, Google, Yahoo!, Vidoop, Janrain, Six Apart, AOL, Chimp, Magnolia, Microsoft, Plaxo, Netmesh, Internet 2 and Liberty Alliance to debate and discuss how best to make implementations of the protocol easier to use and more familiar.

John McCrea covered the significance of the summit on TechCrunchIT (and recognized Facebook’s welcomed participation) and has a good overall summary on his blog.

While the summit was a long-overdue step towards addressing the clear usability issues directly inhibiting the spread of OpenID, there are four additional areas that I think need more attention. I’ll address each separately. Continue reading “OpenID usability is not an oxymoron”

OpenID on the iPhone

During the OpenID/Oauth Session

I helped lead a session on Saturday at iPhoneDevCamp on the topic of OpenID and Oauth (a new protocol a group of us have been developing) to a packed room of developers, designers and interested parties.

My basic premise was that if you’re going to be developing an application for the iPhone that has any kind of account or social functionality that you should dispense with creating yet another identity silo and instead make use of OpenID. Among the reasons I cited:

  • Safari on the iPhone doesn’t have a password manager like 1Passwd and won’t be able to import all the Firefox passwords you’ve been recording for years. And, as mobile web browsers become more powerful, remembering web service account credentials will become more important (and more of a burden). Better to make it easy on your customers — one OpenID url, one username and password.
  • if you’ve logged in with OpenID on a web service on your desktop or laptop and have set your provider to always allow you to login in automatically, logging in on the iPhone will require you to only login to your OpenID provider and then enter your URL once for every web service that you want to login to. This means that you avoid the challenge of invisibly typing in your password over and over on the error prone touchscreen keyboard.
  • The ability to cross-polinate authenticated data using a combination of OpenID and Oauth while remote will be increasingly valuable, especially if the expectation is that applications are going to be entirely web-driven. When you’re dealing with desktop apps, you’re operating off a harddrive with known permissions; when you’re passing between web apps, the permission model is radically different and, just as when you go to check out from Amazon you always have to authenticate, developing patterns for this experience between web apps needs refinement. OpenID can help smooth out that interaction.

iSignin OpenID signin for OpenIDLastly, there is work going on (okay, I’m doing it so far) to make the OpenID login experience on the iPhone (and elsewhere) trump any kind of old school login system available. This obviously needs a lot of work and new thinking (maybe instead of authenticating by typing a password you have to SMS a unique shortcode, etc) but I think your money should be on OpenID if you’re going to be developing account-based web applications on the iPhone — or — generally.