Good question. I'm not saying that this is the best idea out there, but if desktop (and third party non web apps) developers have problems I tihnk we should at least start entertaining some suggestions. Some may pan out better than others, but at least get the ideas out there.

On 1/22/2010 1:14 PM, Abraham Williams wrote:
How does Twitter verify which user is completing the CAPTCHA?


On Fri, Jan 22, 2010 at 07:06, John Meyer <
<>> wrote:

    On 1/22/2010 7:48 AM, Josh Roesslein wrote:

        Not 100% sure what you are suggesting. Are you suggesting for the
        authorization step that instead of directing the user to twitter
        instead receive a captcha image which the user inputs that # and we
        send back to get the access token?
        I am not sure that is such a good idea, mainly because captchas are
        pretty easy to interpret by machines. It's just too risky that an
        attacker will guess the correct value and thus gain entry to some
        user's account. If I am misinterpreting your idea, please let me


    Pretty easy is relative.  While there are programs to crack CAPTCHAs
    out there, they still are more effective than traditional
    username/password combinations.  And I still would insist that this
    method would be an accomidation for desktop and mobile clients who
    may have difficulty displaying web pages.  Barring that, the only
    alternative I could see is turning every program into a de facto web

Abraham Williams | Moved to Seattle | May cause email delays
Project | Intersect |
Hacker | |
This email is: [ ] shareable [x] ask first [ ] private.
Sent from Seattle, WA, United States

Reply via email to