So I’m a big supporter of OpenID and oAuth, but sometimes I have to agree with big companies like Google in the fact that these technologies are really confusing to end users. The problem is that people don’t understand these technologies and while they shouldn’t it does allow for some people to take advantage of the less tech savvy amongst us.
Take Twitter for example, who fairly recently finally added oAuth to their product so that we now don’t have to give out our username and password to every funny little Twitter tool. Twitter’s implementation has no granularity in the oAuth authorisation which leads to people signing away full read/write permission to their account when they use their Twitter to log in to a game.
Yes, you read that right: developers use Twitter’s oAuth to let people authenticate themselves. It seems not everyone understand the difference between authentication and authorisation. This obviously leads to some developers abusing this new found power to do evil, much like the early Facebook App developers used the permissions they got from you to spam all your friends with invites to come and join that app you looked at once.
I agree that oAuth is a great technology, but inherently it’s going to get a bad name when companies like Twitter don’t implement it correctly. We could go and educate the user, but I think that’s an impossible undertaking that would better be avoided. oAuth (and actually OpenID similarly) faces a real problem when it comes to user experience that needs to be solved. I guess I’m not the first one talking about this but I’m wondering if there even is a solution.