Pictures in email signatures is obnoxious and annoying. Zac Bowling
On Tue, Aug 11, 2009 at 2:58 PM, Bradley S. O'Hearne<brad.ohea...@gmail.com> wrote: > Alex, > Thank you for the information -- that does give me a much better idea of the > helpful utility of OAuth within the Twitter ecosystem. Please understand, my > point in raising these issues has never been to buck the system, but rather > to prove out what the real security issues in play are, so as to address > them as efficiently as possible. Stickiness is a major issue in mobile apps, > and every hoop you put the user through increases the chances for a user to > leave and / or delete your app. > As for the iPhone-optimized version of the OAuth workflow -- I run a company > specializing in iPhone development. If Twitter would be in need of our > services to can OAuth into a distributable component / library or set of > source code, somewhat in the vein of Facebook Connect, contact me offline. > Regards, > Brad > Brad O'Hearne > Owner / Developer > Big Hill Software > br...@bighillsoftware.com > http://www.bighillsoftware.com > > On Aug 11, 2009, at 10:40 AM, Alex Payne wrote: > > For the case of a dedicated application on a rich mobile platform like > iPhone, I agree that OAuth does not offer a particularly different user > experience. It does, however, provide us at Twitter the information we need > to provide detailed usage analytics back to developers, as well as the data > we need to better understand our platform and help it grow. > OAuth also provides a mechanism for users to revoke access to applications > that aren't behaving as they expected; on the iPhone, removing a misbehaving > application is as simple as deleting it, but for some non-technical users it > may be helpful for them to visit their Twitter settings and see the list of > applications they've authorized. > We're working with our mobile team on improving the iPhone-optimized version > of the OAuth workflow. It may not be an enormous improvement over > password-based authentication, but once it's done, it certainly won't be a > hinderance. Twitter is one of many companies moving to OAuth, and you can > already find iPhone applications like TripIt that rely solely on OAuth for > authentication. > > On Mon, Aug 10, 2009 at 14:16, Bradley S. O'Hearne <brad.ohea...@gmail.com> > wrote: >> >> All, >> >> I don't want to kick this subject to death, as there was a lengthy thread >> on general OAuth vs. Basic auth -- I want to restrict this question strictly >> to the scope of iPhone apps. Having pored over the OAuth vs. Basic >> authentication process, I have a question, given the following assumptions: >> >> - The iPhone app is communicating directly with Twitter, i.e. not through >> some third-party means. >> >> - The iPhone app requires authentication at the beginning of each >> application runtime (i.e. each time the app is run the user has to type in >> their password). >> >> - The password is cached only in memory, for the life of that specific >> runtime (i.e. when the user quits the app, the password is released). >> >> - The password is NEVER persisted anywhere, i.e. never stored to disk. >> >> - All network communication with Twitter takes place over HTTPS. >> >> If all of those things are true in an iPhone app, how is OAuth superior in >> any way to basic authentication from a security standpoint? Furthermore, >> given having to introduce a foreign UI element and extra authentication >> steps over the web, could OAuth even be considered inferior when evaluated >> as a whole as an authentication means for the iPhone, when app branding, >> integration, and ease of use are considered? >> >> Mind you, the purpose of this post is not in any way to incite a religious >> war or stir the pot, it is to definitively establish the true pros and cons >> of each authentication means within the specific use case of the iPhone >> only. Many of the other OAuth / Basic auth threads are somewhat overridden >> with personally charged statements that I'd rather ignore them. >> >> Anyway, your constructive views are most appreciated. >> >> Regards, >> >> Brad >> >> > > > > -- > Alex Payne - Platform Lead, Twitter, Inc. > http://twitter.com/al3x > >
