I had received an email update from Twitter yesterday informing me about two important updates which relates to their authentication process.

The 2nd update is the provision of a new simplified URL link wrapping service which is coupled with a Twitter website authentication process to protect the user from malware. That’s decent.

However, the 1st update irked me.

The 1st update is the mandatory implementation of authentication technology called “OAuth”. This technology is to be used in all Twitter desktop and mobile clients for access to your Twitter user account. OAuth is an emerging authentication standard which is adopted by a large number of social networking services.

The OAuth standard is defines a key step in the handover of a users’ info to a third party application and it also allows users to selectively revoke the said application from accessing their account info.

Currently, the Basic Authentication process involves providing desktop application with a username and password to access the web based service of the said application. This is a all or nothing access system where complete access to the user’s account is provided by a mere username and password. The problem arises when this login info is accessed and brings about a security breach. Currently there is no way to disable a third party application with the Basic Authentication method.

The OAuth protocol intends to make the authentication process more secure.

However, the process is a cumbersome one from the developer perspective. The current OAuth Standard  increases the susceptibility of phishing- a matter of concern for end users.

The current version of OAuth protocol(version 1.0a) is an is a poor implementation of the protocol and this is the version the version that is being adopted by Twitter.

Whilst, Twitter has made some provisions to increase its security measures with OAuth 1.0a, there are more cons than pros with this implementation.

I am concerned and I will be somewhat guarded using my Twitter account in the near future.

Ars Technica has two good articles on this issue. It is somewhat technical but worth the read for those who intend to further understand this protocol. It is has important long term implications for those who are active users of web based services.

The articles can be accessed via these links:

Advertisements