> I'm not saying OAuth is a panacea, but it is better than handing over > a password.
That's the crux of it. It's not a panacea (the UX sucks, especially for iPhone apps), but the fact is it's only marginally better than handing over a password. I mentioned this in my blog post (linked above), but if I'm a native app, I can get your password if I want it - OAuth or not. It's nothing more than the illusion of security in this case. To the twitter-folk: for implementation simplicity, I think you should run with token-based authentication and deprecate Basic Auth. All I ask in return is a "special" API method to exchange a username +password for an access token. This way I can collect a username +password client side (without directing the user to a webpage) and authenticate. From the user's perspective, it's just as easy as OAuth. From Twitter's perspective, all authentication will be routed the same way*. Loren * And then... down the road (as I mentioned in the blog) OS vendors can step up to the plate and provide a native, system-level interface for OAuth++ authentication. It'll be better than both worlds: just as simple for the user as Basic Auth, and even MORE secure than OAuth- though-a-browser.
