Hacker News new | past | comments | ask | show | jobs | submit login

OAuth is still very useful if you need more data from a user than just that he's who he says he is. If your app processes user data from another source, OAuth is still the best choice.

Also, people recognize Facebook and Google as brands they already have accounts with. When a user sees a big blue/red Sign In With Facebook/Google button, that's an easier decision than hand-keying your credentials (especially on a tiny and slow mobile keyboard). Moreover, users trust Facebook and Google to know how to secure their passwords better than randomsiteijustfound.com, so they may believe OAuth is safer than trusting that randomsiteijustfound.com's developer knows how to properly hash a password.




I don't disagree that OAuth is very useful when an application needs access to resources on another site.

That said, many of the applications that feature "sign in with Facebook", don't actually need access to my Facebook account. They may just be trying to make it easier for the user to sign in, but they also sometimes abuse that trust, and start posting things on your behalf.

Frankly, I'd much rather generate a random password for randomsiteijustfound.com and not worry too much about their password-hashing policy than trust them to do the right thing with access to my Facebook account.

This is why I like Persona -- if a site really just wants to make it easy for me to sign in, they'll use Persona, and I won't have to worry about them abusing my trust, because I'm not granting them access to anything else. Once I feel like they're trustworthy or useful enough, I can consider granting them OAuth authorizations to my Facebook account.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: