Feeds

Google opens up OAuth to tackle password chores

Cleverness to dispose of onerous task of logging in

Intelligent flash storage arrays

Google has opened up a technology designed to cut back on the number of passwords users need to access multiple websites to web developers, effectively moving the technology into the mainstream after a restricted beta lasting almost a year.

Plaxo, Facebook and Yahoo! signed up to support so-called "hybrid onboarding" technology that combines OpenID log-ins with OAuth data swapping at various times since the start of 2009.

Support of the technology means that rather than creating a Plaxo account from scratch, for example, Gmail users can log into their webmail account to authorise the export of profile and contacts data over to Plaxo. Much the same process occurs in responding to requests to establish a Facebook profile sent to a Yahoo! webmail account since late September.

The technology is designed to make the sign-up process less of a chore for users while helping to cut down on the need to maintain numerous passwords for multiple sites. Eric Sachs, product manager at Google Security, explains the approach also confers security benefits.

"The hybrid onboarding model improves authentication security because websites like Plaxo that use this technique never see a password from you at all," Sachs writes. "Since you don't have to enter your password on additional sites, your password remains closer to you and is less likely to be misused."

On Tuesday Google released its login flow designs to the general population of website operators, explaining "all of these hybrid onboarding techniques are based on industry standards that both Google and Yahoo! support, and that other email providers are beginning to support as well". There's further details on how web developers can enrol onto the scheme here.

Graham Cluley, senior technology consultant at Sophos, who has taken a close interest in issues about password security over recent months, sounded a note of caution about the proposals. Sophos supports OAuth data swapping in general, because it means users do not have to divulge passwords when exporting data between web accounts.

Cluley warned, however, that more widespread use of "hybrid onboarding" creates the potential for miscreants to set up sites designed to trick users into handing over contact data and the like from Gmail accounts under the guise of an accredited programme. "In general the approach is positive but its potential for abuse to harvest spamming lists or similar attacks is a concern," he said. ®

Remote control for virtualized desktops

More from The Register

next story
UK smart meters arrive in 2020. Hackers have ALREADY found a flaw
Energy summit bods warned of free energy bonanza
DRUPAL-OPCALYPSE! Devs say best assume your CMS is owned
SQLi hole was hit hard, fast, and before most admins knew it needed patching
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Mozilla releases geolocating WiFi sniffer for Android
As if the civilians who never change access point passwords will ever opt out of this one
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
Simplify SSL certificate management across the enterprise
Simple steps to take control of SSL across the enterprise, and recommendations for a management platform for full visibility and single-point of control for these Certificates.