Feeds

Google opens up OAuth to tackle password chores

Cleverness to dispose of onerous task of logging in

Beginner's guide to SSL certificates

Google has opened up a technology designed to cut back on the number of passwords users need to access multiple websites to web developers, effectively moving the technology into the mainstream after a restricted beta lasting almost a year.

Plaxo, Facebook and Yahoo! signed up to support so-called "hybrid onboarding" technology that combines OpenID log-ins with OAuth data swapping at various times since the start of 2009.

Support of the technology means that rather than creating a Plaxo account from scratch, for example, Gmail users can log into their webmail account to authorise the export of profile and contacts data over to Plaxo. Much the same process occurs in responding to requests to establish a Facebook profile sent to a Yahoo! webmail account since late September.

The technology is designed to make the sign-up process less of a chore for users while helping to cut down on the need to maintain numerous passwords for multiple sites. Eric Sachs, product manager at Google Security, explains the approach also confers security benefits.

"The hybrid onboarding model improves authentication security because websites like Plaxo that use this technique never see a password from you at all," Sachs writes. "Since you don't have to enter your password on additional sites, your password remains closer to you and is less likely to be misused."

On Tuesday Google released its login flow designs to the general population of website operators, explaining "all of these hybrid onboarding techniques are based on industry standards that both Google and Yahoo! support, and that other email providers are beginning to support as well". There's further details on how web developers can enrol onto the scheme here.

Graham Cluley, senior technology consultant at Sophos, who has taken a close interest in issues about password security over recent months, sounded a note of caution about the proposals. Sophos supports OAuth data swapping in general, because it means users do not have to divulge passwords when exporting data between web accounts.

Cluley warned, however, that more widespread use of "hybrid onboarding" creates the potential for miscreants to set up sites designed to trick users into handing over contact data and the like from Gmail accounts under the guise of an accredited programme. "In general the approach is positive but its potential for abuse to harvest spamming lists or similar attacks is a concern," he said. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.