If you’ve ever granted permission for a service to use your Twitter, Facebook, or Google account, you’ve used OAuth.
This was a radical improvement. It’s easier for users, taking a couple of clicks to authorize accounts, and passwords are never sent insecurely or stored by services who shouldn’t have them. And developers never have to worry about storing or transmitting private passwords.
But this convenience creates a new risk. It’s training people not to care.
It’s so simple and pervasive that even savvy users have no issue letting dozens of new services access their various accounts.
This is from a piece by Andy Baid on Wired from way back in 2012, which I have come across, late in the day, thanks to a tweet by Jeff Atwood of Coding Horror. (All right, not just of Coding Horror; Atwood is probably, actually, more famous for teaming up with Joel Spolsky to launch Stack Overflow. The blog did come first, and his Twitter handle is @CodingHorror, Moving right along...)
I'm completely baffled by this. "Even savvy users?'
Baid goes (went?) on to talk about the large number of apps to which he has granted access to, among others, his gmail account, and to mention other savvy users (including Anil Dash, now CEO of Foggbugz) who have done the same.
Look, every once in a while I start to sign up for something and the entity who wants to enroll me wants to do this via Twitter or Facebook or Google. Sometimes they also allow separate registration via an email address, so I use the email address designated for registrations and the like. Sometimes they don't, and I think: You can't be serious. And I leave the page.
I don't really think of this as savvy. I think: Just how stupid would you have to be to give someone access to an account and its contacts? Just how stupid would you actually have to be?
Of course there's always going to be some kind of document setting out the terms and conditions, including privacy rules. And you think the fact that they posted this comforting text offers protection why, again, exactly?
I'm rather taken aback to find that this merited a piece on Wired, but the whole thing is here.