Here's the scenario: a cool new social website pops up. It's the latest newcomer, like LinkedIn or Facebook once was. You complete the registration process, and this site says, "Thanks for registering! Let's see if any of your friends are registered, too!"
"Cool," you say. "Yes, find my friends!"
"Great!" says the site, "just give me your email password and I'll search your contacts.
"Well OK then!" You say, and you hand over your email password. In a moment, the site connects you with your friends, and everything is beautiful.
Except, wait a second. You just gave out your email password.
That's a common scenario, as you know. You give out the one thing mom told you never to reveal. You've got your reasons, though. Maybe you're addicted to Flash games and because of that your blog article is a month late and your boss is starting to get mad, and you want to show off your skills by letting that game post your high score on Facebook. Like this friend I know.
Should you really give that game your Facebook password, especially if you work for a security company and your late blog article is about securing passwords? Probably not, but sometimes you might overlook something like this. What if you find an awesome scarf on Etsy and want to pay for it with PayPal - do you give Etsy your PayPal password?
You don't, right? Giving out a password negates the entire purpose of having that password in the first place.
"But it's such a cool scarf."
I know! But what if you didn't have to give out your password? Cool idea, right?
Conveniently, there's a protocol called OAuth, which is designed to protect the user. With OAuth, users give out tokens instead of passwords. The token is scoped, so websites with them can only do actions you want them to do. That new social website doesn't get your password; it gets a token to see your email contacts, but it can't see your inbox. And if you decide maybe you shouldn't be bragging on Facebook about how much you play TextTwist instead of writing blog articles, you can revoke TextTwist's token and take away their access to your Facebook wall, just like that.
So let's share our scores on Facebook. Let's buy that cool scarf, and find our friends. But let's also still sleep well at night. Let's be safe and let's get up to speed on OAuth.
Stay tuned; I'll have more on OAuth in future blog posts.
In the meantime, check out the Ping Identity training calendar for upcoming free OAuth classes. All of our online classes are free, as it happens. So start giving your users, and yourself, the security we all deserve.