Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

As online services that make use of personal data multiply, it’s becoming more common for users to need to pass data from one service to another. This often requires users to hand over usernames and passwords, in spite of the obvious security risks involved. A new open-source project called OAuth, released earlier this month, is intended to solve this problem by allowing users to give services a valet key to their identities, rather than full access.

Chris Messina, who helped organize the production of OAuth, says that the system will “give people control over the way that they broker their data through Web services, and also help them be a little more secure.” The system allows a user to obtain a token through one site and pass it to another. The token then dictates what the second site can access, and in what way. To achieve this, the protocol has to define standard ways for sites to identify data and specify what they’re going to do with it. To work, OAuth requires both sites to have implemented the protocol. The user does not have to be aware of it.

Along with Messina, Blaine Cook of Twitter and Larry Halff of Ma.gnolia worked to start the project.

Handing over usernames and passwords is an increasingly common feature of social-networking sites, including well-known sites such as Facebook and LinkedIn. At the initial sign-up phase, a site asks the user to enter the credentials for her e-mail accounts so that it can search for people she might know. It’s also typical for sites to provide an opportunity for users to invite their existing contacts to join the network as well. But Messina says that there’s another, unintended result of the practice: “It’s training the user to pass around usernames and passwords like confetti,” he says.

Eran Hammer-Lahav, who served as the editor for the core OAuth specification, says that a cautionary tale came earlier this year when a social-networking site called Quechup used its access to e-mail accounts through this feature to send invitations to every single person in a new user’s contacts list. Even worse, to many people, the e-mails appeared to originate from the user, rather than from the company. Hammer-Lahav says that the warning is directed less at a particular site than at a system that needs improvement. “The core is really about what we call the love triangle,” he says. The love triangle, he explains, is the relationship between the user and the two Web services that need to share data.

He adds that it’s now becoming common for financial-management sites such as Mint to ask for passwords in order to aggregate information for users. In addition to posing a security risk, Hammer-Lahav says, it’s actually not the best way for sites to share information. The aggregator sites often have to scrape financial information off banking pages by training their software to seek certain clues in the page source that signal key pieces of data. The problem, he says, is that if the bank redesigns the look of a page, those clues might change, rendering the aggregator unable to read the information. A system such as OAuth, Hammer-Lahav says, allows the sites to share information directly.

The idea of this type of system is not new, says Terrell Russell, cofounder of the online identity-management system ClaimID. Google, for example, has an existing proprietary protocol that has capabilities similar to those of OAuth. However, Russell says, the lack of a single standard hampers developers and encourages them to ask for usernames and passwords. Russell says that solving the problem of allowing Web services to safely share data will only become more important as more data migrates to the Web.

OAuth is being implemented by Twitter and Ma.gnolia, and portions of the standard appear in Google’s OpenSocial platform. Although the initial release is a core protocol containing the basics of exchanging tokens between sites, Hammer-Lahav says that later releases will give users finer control over how they grant access to their data.

0 comments about this story. Start the discussion »

Credit: Chris Messina, OAuth

Tagged: Web, Google, Twitter, open source

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me