Not 100% sure what you are suggesting. Are you suggesting for the
authorization step that instead of directing the user to twitter
instead receive a captcha image which the user inputs that # and we
send back to get the access token?
I am not sure that is such a good idea, mainly because captchas are
pretty easy to interpret by machines. It's just too risky that an
attacker will guess the correct value and thus gain entry to some
user's account. If I am misinterpreting your idea, please let me know.


On Fri, Jan 22, 2010 at 8:05 AM, John Meyer <> wrote:
> This may have been proposed by somebody sometime in the past (forgive me for
> not having enough coffee in my system to muster up the energy to search the
> archives ;-)), but here it goes: what if, rather than a web page URL, we
> could receive a captcha image and have the user input the code.  That would
> allow desktop users more flexibility in displaying the authorization.  It
> wouldn't be perfect (I'm sure console developers wouldn't like it), but I
> think it would be a little better than what is coming up now.  Thoughts?

Reply via email to