On 1/22/2010 7:48 AM, Josh Roesslein wrote:
Not 100% sure what you are suggesting. Are you suggesting for the
authorization step that instead of directing the user to twitter
instead receive a captcha image which the user inputs that # and we
send back to get the access token?
I am not sure that is such a good idea, mainly because captchas are
pretty easy to interpret by machines. It's just too risky that an
attacker will guess the correct value and thus gain entry to some
user's account. If I am misinterpreting your idea, please let me know.
Pretty easy is relative. While there are programs to crack CAPTCHAs out
there, they still are more effective than traditional username/password
combinations. And I still would insist that this method would be an
accomidation for desktop and mobile clients who may have difficulty
displaying web pages. Barring that, the only alternative I could see is
turning every program into a de facto web server.