Google opens up OAuth to tackle password chores
Cleverness to dispose of onerous task of logging in
Google has opened up a technology designed to cut back on the number of passwords users need to access multiple websites to web developers, effectively moving the technology into the mainstream after a restricted beta lasting almost a year.
Plaxo, Facebook and Yahoo! signed up to support so-called "hybrid onboarding" technology that combines OpenID log-ins with OAuth data swapping at various times since the start of 2009.
Support of the technology means that rather than creating a Plaxo account from scratch, for example, Gmail users can log into their webmail account to authorise the export of profile and contacts data over to Plaxo. Much the same process occurs in responding to requests to establish a Facebook profile sent to a Yahoo! webmail account since late September.
The technology is designed to make the sign-up process less of a chore for users while helping to cut down on the need to maintain numerous passwords for multiple sites. Eric Sachs, product manager at Google Security, explains the approach also confers security benefits.
"The hybrid onboarding model improves authentication security because websites like Plaxo that use this technique never see a password from you at all," Sachs writes. "Since you don't have to enter your password on additional sites, your password remains closer to you and is less likely to be misused."
On Tuesday Google released its login flow designs to the general population of website operators, explaining "all of these hybrid onboarding techniques are based on industry standards that both Google and Yahoo! support, and that other email providers are beginning to support as well". There's further details on how web developers can enrol onto the scheme here.
Graham Cluley, senior technology consultant at Sophos, who has taken a close interest in issues about password security over recent months, sounded a note of caution about the proposals. Sophos supports OAuth data swapping in general, because it means users do not have to divulge passwords when exporting data between web accounts.
Cluley warned, however, that more widespread use of "hybrid onboarding" creates the potential for miscreants to set up sites designed to trick users into handing over contact data and the like from Gmail accounts under the guise of an accredited programme. "In general the approach is positive but its potential for abuse to harvest spamming lists or similar attacks is a concern," he said. ®
So what's changed?
This is like DejaVu all over again - Microsoft created Wallet/Passport/Live ID for much the same purpose. It's widely used by Microsoft sites, but hasn'treally taken off with other sites, probably because other sites don't really trust Microsoft with shared personal data like this.
This system may improve usability (less form filling/less emails to confirm email addresses/less passwords/usernames to remember but I cannot see how it will address the security concerns outlined in the article. Indeed, it could even make them worse.
The problem is, at the article noted, passwords. This system doesn't remove the need for a password.
If it is possible to work out someone's weak password, then use the same for other accounts, then this system is even worse.
Not only does it guarantee the user name will always be the same as well as the password (currently, usernames can vary from site to site) it also gives you the chance of trying multiple accounts. One of the screen shots in the 'hybrid onboarding' link shows and example site where you have the choice of using the site's native account, or an OpenID or a YahooID or a Google ID or a ClickPass ID. That's up to 5 chances to get the username/password correct, not just one.
Back to the drawing board, Google! Even Paris would see these flaws!
One passwod to find them
and in the darkness root* them.
*now now children, I mean in the IT-security sense.
You should use different password on different sites to stop one site's compromise giving access to all other sites.
OpenID and equivalents remove the password - the sites no longer have it.
Of course, if your OpenID site is compromised, you're fucked.