Passwords are a little bit more secure now that Google added OAuth support to its iGoogle Gadgets. Developers can now use their gadgets to easily grab data from OAuth-enabled APIs. Using OAuth, users do not have to give their passwords to developers. Instead, if a developer wants data from a service, the user enters the password into the service itself, providing the developer permission to access their data.
MySpace updates, AOL Mail and Google Book Search are the first gadgets to use OAuth. Finding the MySpace gadget via the iGoogle search is difficult, as there are pages of results by non-MySpace developers. Some of these ask for your password in an insecure manner, without OAuth. If you have a MySpace account, try adding the official MySpace gadget.
Adding the MySpace gadget gives a good idea of the user experience provided by the OAuth process. Rather than username/password fields within the iGoogle box, there’s a sign in button. Click it, and an OAuth page pops up providing a MySpace login page. Once you’ve signed in, the popup disappears and the gadget is populated with your MySpace data: updates, status, bulletins, and inbox.
Behind the scenes there is an exchange of keys that ensures the gadget maker really does have your permission to access the data. Those keys are permanent, so the sign in process is a one time deal for each OAuth gadget, not something you’ll have to do every time you visit your iGoogle page. For an example of how OAuth works, check out my FireEagle tutorial.
The update to gadgets is world’s beyond password-sharing, but there should still be phishing worries. Emulating the popup process would be easy and there’s nothing to signify that the page I’m seeing really is MySpace. Luckily, that’s the same problem that many are already trying to fix. A solution to the problem for banking sites, for example, will probably be the same solution for OAuth.
[Photo by Eran Sandler]