We had much lower rates. But it is difficult to disentangle if that is due to the extra steps required for OAuth, the OAuth scare screen on Twitter.com, or because of the copy we initially used to invite users to use OAuth. (For example, we had text that read "add your Twitter account via OAuth" which admittedly isn't going to be very well understand by the average user... "login with Twitter" would be better.)
But for the last 3282 users who added accounts in our system, and for whom we offered BOTH OAuth and Basic Auth options (and where the OAuth step was clearer, indicating that they wouldn't have to give us user/ pass), 1209 or 36% chose OAuth. While this might again be confounded by other factors, this does suggest that for our app, at least, given the choice between Basic and OAuth, users show a preference for Basic Auth. On reflection (and after some sleep), I admit that my initial post was a bit hyperbolic, and partly due to my frustration dealing with another unannounced API change. That said, at least for us, evidence bears out that Basic Auth is just as accepted, if not more accepted, than OAuth by our users. On Jul 28, 3:58 pm, jmathai <[email protected]> wrote: > Funny, I posted about our high success rate (95% of all users) with > OAuth. > > I'm trying to get a feel for if we're fortunate, have a good flow or > everyone has the same > rates.http://groups.google.com/group/twitter-development-talk/browse_thread... > > On Jul 28, 2:13 pm, Amitab <[email protected]> wrote: > > > As a developer who has recent launched Twaller (http://www.twaller.com) > > which supports OAuth, I think I should share my > > perspective on this. > > > I really loved OAuth because: > > > (1) Ease of coding. I could get OAuth working within a couple of days. > > Saves me any password maintenance, encryption etc. > > (2) Integration with Twitter Branding. With the OAuth scheme, I > > believe my website is more integrated with Twitter. It would also be > > nicer if Twitter would maintain their own list of websites they trust > > with Oauth, just to give users the added confidence that Twitter > > trusts me. > > (3) Saves me worrying about SSL. A lot of people are finicky about > > HTTPS/SSL. This was I can just ytell them that if Twitter wants Oauth > > that way in future, we will simple provide it. > > > The part I hate about OAuth is that the OAUth page is extremely slow > > to load and sometimes does not load at all. I see this issue with the > > Twitter website in general as well, sometime postst from the web just > > don't go through. I would much appreciate if people at Twitter can > > address scalability problems to OAUTH, because that I believe is the > > biggest user turnoff. > > > On Jul 28, 1:11 pm, JDG <[email protected]> wrote: > > > > It's only a scare if the development community neglects or refuses to > > > educate the populace at large that only Twitter really needs your > > > password, > > > so why give it to anyone else? > > > > On Tue, Jul 28, 2009 at 13:27, jahbini <[email protected]> wrote: > > > > > Sorry about your Oauth Implementation, Mine's been working steadily > > > > with no hiccups: Lot's of very solid implementations out there. > > > > > As far as the user sign-up problem, Yeah, I agree, It's a bit of a > > > > scare for the user to have to connect to an off-site twitter authority > > > > page -- But that's what Facebook, paypal and all the big boys are > > > > pushing toward. > > > > > As Robert Palmer once said: "Your gonna have to face it, your addicted > > > > to passwords". > > > > > Jim > > > > > On Jul 28, 1:27 am, chinaski007 <[email protected]> wrote: > > > > > Let's be honest... > > > > > > The end-result for third-party developers using OAuth appears to be > > > > > fewer sign-ups, less reliability, more complexity, and potentially > > > > > less security. > > > > > > Google Optimizer reveals that users are more likely to sign-up for > > > > > Basic Auth than OAuth. That's just fact. Test it for yourself to > > > > > confirm. > > > > > > I suppose this is not so weird. Users are accustomed to giving user/ > > > > > pass information even to "foreign" apps. It is far more disruptive > > > > > and invasive for them to go to some bizarre Twitter screen asking them > > > > > to "approve an app". To the average user, what does that mean? (And, > > > > > heck, it may even require more steps if they have to login again to > > > > > Twitter.) > > > > > > In terms of reliability, Twitter OAuth was down for days several weeks > > > > > ago. Tonight yet another unannounced change occurred that broke major > > > > > code libraries. Meanwhile, Basic Auth has been plugging along just > > > > > fine and dandy... > > > > > > So what IS the benefit of OAuth? > > > > > > It doesn't benefit developers as you will likely get more sign-ups > > > > > with Basic Auth and Basic Auth is far, far easier to setup. Sure, > > > > > OAuth might satisfy some power users hungry for security... > > > > > > But is OAuth even more secure than Basic Auth? > > > > > > Perhaps not. After all, tonight's fix was for an OAuth security flaw > > > > > known for at least 10+ days (judging by tweets to @twitterapi) that > > > > > allowed for potential impersonations of credentialed users. > > > > > > On the heels of Twitter's (unofficial) assurance of better > > > > > communication with developers, this sort of unannounced change is > > > > > distressing. What's next? (Have Labor Day Weekend plans? You might > > > > > want to cancel those... just the right time for Twitter to make an > > > > > unannounced API change!) > > > > > > As for us, we are in the strange position of deprecating OAuth in > > > > > favor of Basic Auth. > > > > > > Weird, eh?? > > > > > > Okay, we are not totally deprecating OAuth, but we are advising users > > > > > that Basic Auth is far more robust and reliable. > > > > > > And so our message to new developers: avoid OAuth like the plague. If > > > > > you must, offer it. But let Basic Auth be your backbone: more > > > > > reliable, more sign-ups, simpler, and probably just as secure. (Just > > > > > look at Google Code bug reports about OAuth to get a sense of > > > > > reliablity.) > > > > > > (Okay, okay, this post was written at 4am after a workday that started > > > > > at 8am, and after Twitter introduced this new change at 5pm... (hey > > > > > Twitter, can you introduce major new changes EARLIER in the day so we > > > > > can react!?!?)... it still doesn't excuse Twitter's continued > > > > > disregard for the small-to-medium size developer.) > > > > -- > > > Internets. Serious business. > >
