OAuth: Pros and Cons of OAuth

Written by Tom FronczakFebruary 10, 2011

Imagine if every time you met someone new in life you needed to first tell them not only your name, but also your age, email, phone number, name of your first pet, and were then told to say some secret word that you’re not allowed to tell any of your other friends. Crazy, right? This is the current state of the digital age though, with information swirling around the globe in seconds using advanced technology, yet remaining oddly restricted and primitive at times. OAuth aims to change all of that.


OAuth (Open Authorization) is like saving your password in your Web browser so that you don’t have to retype it every time. Instead of a site asking if it can use your online bank data or online photos every time it needs access to them, you can use tokens to allow one site to have repeated access to another site’s data for as long as you set your token’s lifespan. When you no longer wish for the information bridge to continue, you can sever its flow feeling safe that the site only had a ticket stub – not a permanent key – to one of your online homes on which you store valuable user content.


Ease. A friend sends you a link to a funny picture or video and you want to leave a comment. The only problem is that you’ve never been to this site before and don’t have an account. While you take a few seconds to consider if it’s worth signing up for, you spot a “Sign in with your Twitter account” button. Success! You’re one of the hundreds of millions of Twitter users, so this is an incredibly easy OAuth alternative.

Time. Not only is it easy, but it’s incredibly time saving in the long run. Whether it’s finding a new site online or returning to a favorite one, if the sites you frequent support OAuth then you only need to create one account for the majority of your online hangout spots. It’s the equivalent of going out to a new club at night and having a really cool friend walk you to the front of the line and having the bouncer lift the rope for you to bypass the long wait.

Networking. We comment and share pictures on sites to be social, but it’s the networking appeal that makes sites worth revisiting. OAuth allows you to use one account to comment on several different sites, letting friends and readers from all sites trace you back to your preferred profile page. Even better, Websites can allow you to transfer your friend lists as well, so you don’t need to add the same 200 friends to your list every time a new popular network site pops up on the net. Likewise, if you have some people who only follow you on one of those sites then you can enable options to have a comment made on one site listed on other sites as well. That way you don’t need to copy and paste every Tweet over into Google Buzz, and can instead let social networks operate to their full potential.

Privacy. You just found a shirt you’d love to buy from an online store, but how do you know if you can trust them with your credit card? OAuth solves this dilemma by letting you purchase items online at many sites without ever letting them have access to your private financial details. Just as OAuth allows you to login to site A to leave a comment on site B, the same is true for hiding your banking information from those you do business with online. When making a payment all you need to do is use OAuth to login to your online bank account and have the transaction occur without the clothing site ever knowing your credentials info. Best of all, this means every outside site you go to can’t data-mine your user information and sell it against your will!

Security. Since the advent of OAuth 2.0 – which is now the standard model – all OAuth data transfers must take place on SSL (Secure Sockets Layer) to ensure the most trusted cryptography industry protocols are being used to keep data as safe as possible.

Control. Not only does OAuth give users the power to allow sites limited access to their data, but it even allows users to control when that timeframe window is up. It’s comforting that users can choose when authorization tokens expire.

Expenses. OAuth helps businesses too! Without the need to create a fully robust commenting system it frees up more time and money for Website developers to work on other aspects of their site. Also, since it’s an open standard for authorization it also means an unlimited number of online associations can benefit from it without being hindered by licensing fees.

Traffic. With all the effort involved with signing up for a new site and joining the community, OAuth can allow things to be more casual. With people hopping around the Web more it means sites have better chances at retaining new readers and having them become return visitors, which is great for all online businesses.

Popularity. Most people don’t like jumping on beta tests for new software, so before acquiescing to yet another Web “standard” it always helps to know that a trend is already in motion and that a new service isn’t going to disappear in the future and be a waste of time. OAuth has already been adopted by Google, Facebook, Twitter, and Yahoo, so even if only a slice of their users have made the transition, that still equates to many millions of current users.


Lack of anonymity. If you use Facebook to comment on a different site, they can not only see your Twitter avatar icon, but also click on you to see who your online friends are. It’s a choice the user has to be comfortable making, and with most Internet users still preferring to make comments anonymously on the Web, it’s a choice many still aren’t prepared to make yet. Needing to make anonymous alternate accounts can be just as annoying as having to toggle dozens of site privacy settings each month.

Lack of market saturation. Even though millions might use OAuth through Facebook and Twitter, the number of other sites that support OAuth as clients is still very limited. It will take a while for the trend to spread before users can plug in to all their favorite spots online and get the full online experience that OAuth has yet to offer.

Phishing. When performed correctly, OAuth should be safe, but the act of asking users to login to a different site really quick can train us to be careless and fool less educated net users into thinking this practice is always safe. Many unfortunate users will inevitably fall victim to a convincing looking popup ad and have their data phished. Which leads to . . .

Many eggs in one basket.  If you choose to use a central hub to connect to all your other favorite sites, and the central account becomes hacked, or you simply choose to close the account, then the serious repercussions are felt across several sites instead of just one.

Data misuse. It’s great that OAuth limits new sites from obtaining all of your user data and selling it against your will, but unfortunately one of the largest supporters of OAuth is already guilty of these procedures. Facebook has certainly set bad standards for customer privacy abuse in the past, so it’s unsettling that it will now have access to even more user data across several sites.

Bad precedents. The Obama administration has declared that it’s a fan of similar online ID profile networking to help limit anonymity as well as identity theft. While they’ve stated that the government doesn’t want to control such a system, it does cause one to worry that if these precedents are set and OpenID and OAuth become permanent online standards, then some sites may refuse to allow alternatives for its users. It would be a shame if everyone on the Web was eventually forced to adopt these methods that are great as an option, but should not be an enforced as an only choice.

Social login powered by Gigya