Feeds

Google opens up OAuth to tackle password chores

Cleverness to dispose of onerous task of logging in

High performance access to file storage

Google has opened up a technology designed to cut back on the number of passwords users need to access multiple websites to web developers, effectively moving the technology into the mainstream after a restricted beta lasting almost a year.

Plaxo, Facebook and Yahoo! signed up to support so-called "hybrid onboarding" technology that combines OpenID log-ins with OAuth data swapping at various times since the start of 2009.

Support of the technology means that rather than creating a Plaxo account from scratch, for example, Gmail users can log into their webmail account to authorise the export of profile and contacts data over to Plaxo. Much the same process occurs in responding to requests to establish a Facebook profile sent to a Yahoo! webmail account since late September.

The technology is designed to make the sign-up process less of a chore for users while helping to cut down on the need to maintain numerous passwords for multiple sites. Eric Sachs, product manager at Google Security, explains the approach also confers security benefits.

"The hybrid onboarding model improves authentication security because websites like Plaxo that use this technique never see a password from you at all," Sachs writes. "Since you don't have to enter your password on additional sites, your password remains closer to you and is less likely to be misused."

On Tuesday Google released its login flow designs to the general population of website operators, explaining "all of these hybrid onboarding techniques are based on industry standards that both Google and Yahoo! support, and that other email providers are beginning to support as well". There's further details on how web developers can enrol onto the scheme here.

Graham Cluley, senior technology consultant at Sophos, who has taken a close interest in issues about password security over recent months, sounded a note of caution about the proposals. Sophos supports OAuth data swapping in general, because it means users do not have to divulge passwords when exporting data between web accounts.

Cluley warned, however, that more widespread use of "hybrid onboarding" creates the potential for miscreants to set up sites designed to trick users into handing over contact data and the like from Gmail accounts under the guise of an accredited programme. "In general the approach is positive but its potential for abuse to harvest spamming lists or similar attacks is a concern," he said. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.