Many of us in the developer community have been strongly pushing the
point of view that third-party apps should never be asking for user
credentials.  We did so because we believed that Twitter was firmly
committed to the security of the ecosystem and protecting the accounts
of its users.  It now appears that this belief was in error.

  This decision is going to actively hurt developers who chose the
more secure implementation.  Application A just lets me log in with my
Twitter credentials, but Application B wants me to go through this
harder process.  Most users will choose option A, and the more-secure
application B loses users.  this decision punishes developers who
chose the more secure model.  It's disappointing, because a lot of
developers have worked very hard to bring OAuth implementations to the
community that were robust and secure and **didn't require a user to
hand over their Twitter credentials**.

There was a great opportunity here for Twitter to be a security leader
in the social network space by saying "We don't want our users giving
their Twitter credentials to anyone except Twitter".  It's a shame
they didn't stick to their gun; the result is going to be a less-
secure ecosystem.

Reply via email to