Microblogging service Twitter’s habit of playing fast and loose with user passwords may be coming to an end, if a technical trial started today can be successfully implemented by its development team. Earlier this month, the company saw the accounts of users from Barack Obama to Fox News to Britney Spears get “hacked.” More importantly, millions of Twitter users hand out their passwords to strangers every day, because there’s no other way to access the fabulous ecosystem of applications built on top of the famous Twitter data platform, or API.
Today Twitter opened up trial access to a new user sign-in protocol for third party developers – until it was swamped by demand and the trial was closed just two hours later. This isn’t just a geek story, though, this could impact all users of Twitter and other sites all around the web.
The solution being explored (called OAuth) could not only make the much-watched Twitter more secure, it could help usher in an era where effective user security enables an explosion of mashups across every website we store our data in. Twitter is planning its own showcase of trusted applications, but this could be an important part of an even bigger story.
Hi, It’s Nice to Meet You – Can I Have the Keys to Your House?
Twitter’s hype and VC fortunes are largely founded on interfaces on desktops, iPhones and other unaffiliated webpages – built by developers who don’t work for Twitter. Those applications are all about interacting with user data stored on Twitter’s servers, and yet the company has offered nothing but the simplest method of accessing that user data by those outside apps.
The makers of everything from desktop apps like Tweetdeck and Twhirl, to web services like FriendFeed, Twitterfeed and others have been required to ask users to give up their Twitter usernames and passwords in order to read and write to Twitter user data. And apps built outside of the Twitter.com web page are by far the best way to post messages to Twitter.
Who wants to give some brand new website they’ve never seen before the password to their Twitter account – an increasingly important part of millions of peoples’ communication online? The fact is, many of us are doing so every day – and it makes a lot of us very uncomfortable.
The recent hacking of Twitter accounts wouldn’t have been prevented by the steps Twitter is taking today, that hack required nothing more than a teenager running the most elementary brute force trial-and-error script until the password “happiness” was found for the login at twitter.com/admin. But these steps were called for much more loudly none the less by the Twitter community after those hacks.
So Finally…Twitter Is Readying OAuth!
Twitter’s proposed solution to making users all be “password-sluts” is a system called OAuth. It’s an open user-authentication protocol based in large part on work done years ago at Flickr. If you’ve used an outside application for, say, uploading your photos to Flickr, you’ve seen how it works. You tell the application “my name is marshallk on Flickr and I want to use your service to access my account there.” The service goes and asks Flickr for permission, Flickr pops up a window and says “this other website wants to access your private data on Flickr, can you prove you are really you and tell us to give them access?” Then you give Flickr your Flickr password, not the outside service.
The idea is that with OAuth, users can say to a website – “I’d like to bring my Twitter data over to your site, but let me log into Twitter and give them permission to give it to you.”
Right now, outside websites are forced to essentially pretend to be you after cajoling your secret password out of you, tricking Twitter into giving up the data, and then promising you that they will not abuse this secret password knowledge they’ve been entrusted with.
It’s a pretty unsustainable situation.
OAuth looks and feels to users a whole lot like the new Facebook Connect, or OpenID login. Why go with OAuth instead? Facebook Connect is a proprietary system that hoards all the user data over the long term and takes too much control over sites that use it. OpenID can’t be used by desktop apps and is too often ugly enough that you’d rather stay home than take it to a party. Enter OAuth, a technology that hopes to solve all those problems.
By being an “open standard” it can essentially be replicated all around the web. That means that authenticating sites can just plug in a secure user login procedure with relative ease, and 3rd parties wanting to build a bridge between their apps and OAuth supporting apps don’t have to build to a new data interface (API) every time, because there’s a standard.
It doesn’t always work perfectly. The Google-led OpenSocial initiative was supposed to herald a new day of data and application portability across scores of the social networks around the web (all the ones that are less popular than Facebook). Things like OAuth were supposed to make OpenSocial a “write once – apply everywhere” platform, but for political, technical and business reasons, it turned out much harder than that and almost no one cares anyway.
The Moral of the Story: Never Give Your Twitter Password to a Stranger Again
If the OAuth trial that started today is a success, you shouldn’t ever have to wince and hand over your Twitter username and password to a stranger again. That will be very nice. It’s the kind of thing that ought to be best practice everywhere that two applications swap spit (user data), and we hope it will be someday soon.
A key part of “data portability” will be letting users feel secure and in control enough of their data to go ahead and use it in multiple places. That’s something Facebook has put a huge emphasis on, at the expense of open community standards and to the benefit of their business interests as the would-be only social networking game in town.
Announcing (?) The Twitter App Showcase
What’s Twitter’s plan for this surprisingly important technical direction they are exploring? We asked Twitter API lead Alex Payne and this is what he said:
My goal for our OAuth launch is to give our users more control and confidence in their interactions with third-party Twitter-powered applications. Basic Auth has worked for a certain class of single-user application running on a trusted network, but OAuth will increase the reach of Twitter apps that can be used safely and securely on a
variety of platforms. What’s more, OAuth gives us the data we need to build an application gallery to better showcase the great work Twitter developers are doing.Our launch plan entails a month or two in private beta, a similar amount of time in public beta, and then a final release. After the final release, we’ll allow OAuth to co-exist with Basic Auth for no less than six months, and hopefully not much longer. OAuth should be
the sole supported authentication mechanism for the Twitter API by the end of 2009.
Those are solid gold words, right there. We hope the OAuth community and Twitter can nail this test and implementation, opening the door to a new era of interfaces and applications built by anyone on earth but securely leveraging Twitter user data. A Twitter ecosystem where people feel secure sharing their data could end up being a much bigger Twitter ecosystem.
That should be not just be future of Twitter, that should be the future of data-centric online computing in every part of our lives.
And Then The Dominoes Fall
Many people say that Twitter is changing the web all around it. It’s not just a symbol of a new communication paradigm, it’s training millions of people to communicate publicly in very short, rapid messages.
That same influence could extend to helping spread secure, standards based user authentication protocols like OAuth.
Is isn’t hard to imagine people saying “Twitter lets me use applications like Tweetdeck to send public messages to The_Real_Shaq – so why can’t my bank data be shared with Mint without me giving Mint my bank password? Why can’t my school transcripts be exposed to Netflix to get recommendations of the most popular movies related to the subjects I’m studying – without me giving Netflix my school password?”
That kind of future could come all the faster if all of these services used a standardized authentication system, like OAuth. As of this September, that’s exactly what Netflix uses, in fact.
You get the picture. Effective Twitter implementation of OAuth is a far more important matter than it might seem. This isn’t something small, dry and technical. This is the future of integrated, hyper-smart social computing being built right before our eyes.
