We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

A Valet Key for Your Identity

A new standard aims to help users pass information between Web services without sharing full access to their identities.

As online services that make use of personal data multiply, it’s becoming more common for users to need to pass data from one service to another. This often requires users to hand over usernames and passwords, in spite of the obvious security risks involved. A new open-source project called OAuth, released earlier this month, is intended to solve this problem by allowing users to give services a valet key to their identities, rather than full access.

Token access: Web services can use OAuth to share sensitive data without forcing a user to give full access to her identity. The diagram above maps the flow of requests as the services ask for data and authorization from each other.

Chris Messina, who helped organize the production of OAuth, says that the system will “give people control over the way that they broker their data through Web services, and also help them be a little more secure.” The system allows a user to obtain a token through one site and pass it to another. The token then dictates what the second site can access, and in what way. To achieve this, the protocol has to define standard ways for sites to identify data and specify what they’re going to do with it. To work, OAuth requires both sites to have implemented the protocol. The user does not have to be aware of it.

Along with Messina, Blaine Cook of Twitter and Larry Halff of Ma.gnolia worked to start the project.

Handing over usernames and passwords is an increasingly common feature of social-networking sites, including well-known sites such as Facebook and LinkedIn. At the initial sign-up phase, a site asks the user to enter the credentials for her e-mail accounts so that it can search for people she might know. It’s also typical for sites to provide an opportunity for users to invite their existing contacts to join the network as well. But Messina says that there’s another, unintended result of the practice: “It’s training the user to pass around usernames and passwords like confetti,” he says.


Eran Hammer-Lahav, who served as the editor for the core OAuth specification, says that a cautionary tale came earlier this year when a social-networking site called Quechup used its access to e-mail accounts through this feature to send invitations to every single person in a new user’s contacts list. Even worse, to many people, the e-mails appeared to originate from the user, rather than from the company. Hammer-Lahav says that the warning is directed less at a particular site than at a system that needs improvement. “The core is really about what we call the love triangle,” he says. The love triangle, he explains, is the relationship between the user and the two Web services that need to share data.

He adds that it’s now becoming common for financial-management sites such as Mint to ask for passwords in order to aggregate information for users. In addition to posing a security risk, Hammer-Lahav says, it’s actually not the best way for sites to share information. The aggregator sites often have to scrape financial information off banking pages by training their software to seek certain clues in the page source that signal key pieces of data. The problem, he says, is that if the bank redesigns the look of a page, those clues might change, rendering the aggregator unable to read the information. A system such as OAuth, Hammer-Lahav says, allows the sites to share information directly.

The idea of this type of system is not new, says Terrell Russell, cofounder of the online identity-management system ClaimID. Google, for example, has an existing proprietary protocol that has capabilities similar to those of OAuth. However, Russell says, the lack of a single standard hampers developers and encourages them to ask for usernames and passwords. Russell says that solving the problem of allowing Web services to safely share data will only become more important as more data migrates to the Web.

OAuth is being implemented by Twitter and Ma.gnolia, and portions of the standard appear in Google’s OpenSocial platform. Although the initial release is a core protocol containing the basics of exchanging tokens between sites, Hammer-Lahav says that later releases will give users finer control over how they grant access to their data.

Be the leader your company needs. Implement ethical AI.
Join us at EmTech Digital 2019.

Register now
Want more award-winning journalism? Subscribe to Insider Plus.
  • Insider Plus {! insider.prices.plus !}*

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    Print + Digital Magazine (6 bi-monthly issues)

    Unlimited online access including all articles, multimedia, and more

    The Download newsletter with top tech stories delivered daily to your inbox

    Technology Review PDF magazine archive, including articles, images, and covers dating back to 1899

    10% Discount to MIT Technology Review events and MIT Press

    Ad-free website experience

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.