Feeds

Google opens up OAuth to tackle password chores

Cleverness to dispose of onerous task of logging in

Choosing a cloud hosting partner with confidence

Google has opened up a technology designed to cut back on the number of passwords users need to access multiple websites to web developers, effectively moving the technology into the mainstream after a restricted beta lasting almost a year.

Plaxo, Facebook and Yahoo! signed up to support so-called "hybrid onboarding" technology that combines OpenID log-ins with OAuth data swapping at various times since the start of 2009.

Support of the technology means that rather than creating a Plaxo account from scratch, for example, Gmail users can log into their webmail account to authorise the export of profile and contacts data over to Plaxo. Much the same process occurs in responding to requests to establish a Facebook profile sent to a Yahoo! webmail account since late September.

The technology is designed to make the sign-up process less of a chore for users while helping to cut down on the need to maintain numerous passwords for multiple sites. Eric Sachs, product manager at Google Security, explains the approach also confers security benefits.

"The hybrid onboarding model improves authentication security because websites like Plaxo that use this technique never see a password from you at all," Sachs writes. "Since you don't have to enter your password on additional sites, your password remains closer to you and is less likely to be misused."

On Tuesday Google released its login flow designs to the general population of website operators, explaining "all of these hybrid onboarding techniques are based on industry standards that both Google and Yahoo! support, and that other email providers are beginning to support as well". There's further details on how web developers can enrol onto the scheme here.

Graham Cluley, senior technology consultant at Sophos, who has taken a close interest in issues about password security over recent months, sounded a note of caution about the proposals. Sophos supports OAuth data swapping in general, because it means users do not have to divulge passwords when exporting data between web accounts.

Cluley warned, however, that more widespread use of "hybrid onboarding" creates the potential for miscreants to set up sites designed to trick users into handing over contact data and the like from Gmail accounts under the guise of an accredited programme. "In general the approach is positive but its potential for abuse to harvest spamming lists or similar attacks is a concern," he said. ®

Beginner's guide to SSL certificates

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.