What is OAuth and How Does it Protect my Personal Information?
OAuth (pronounced “oh-auth”) is a technological standard that allows you to share information between services without exposing your password. It’s a widely-adopted standard that’s used by developers of websites and apps, and you probably use services every day that utilize OAuth.
How does OAuth work, and how does it protect your personal information? Let’s answer your questions.
The information-sharing dilemma
We have lots of digital accounts in the modern age. We have social media accounts, we have online bank accounts, we have online accounts at businesses and retailers, and we have accounts on our favorite websites. All of these digital accounts require that we set up a username and password.
Another aspect of our modern society is that many of our online services are integrated. For example, if you have a smartphone you can post your photos to Facebook. You can share a good blog post on Twitter. You can link payment apps, like Venmo, to your bank account. It seems as if all online services nowadays are designed to interact with other interfaces.
That’s where you risk your privacy being compromised. By enabling data sharing, you’re giving a third-party access to your private information.
Does that mean you shouldn’t link accounts? Nope! Standards like OAuth keep your personal information safe during data transfers between third-parties.
How OAuth works
What if one third-party service wants to use information that you have on another third-party service? So for example, you want to share one of your Instagram photos to Facebook. You’d think that Facebook would ask for your Instagram password so that it can retrieve the photos posted on there. Right?
That’s dangerous, though. The more you give away your passwords, the more likely it is that your passwords will get compromised. That’s where OAuth comes in.
OAuth, which stands for “Open Authorization,” allows third-party services to exchange your information without you having to give away your password.
OAuth tokens
OAuth uses a system of tokens. Well, they’re “access tokens,” to be correct. An access token gives one third-party source temporary access to a limited amount of your personal information on another third-party source [1].
So, in this Instagram-to-Facebook analogy, Facebook would ask for your permission for access to your Instagram. You approve the request. Facebook would then receive an access token for that single photograph on your Instagram account. Instagram would verify the token and grant Facebook access so it could retrieve the photo.
At no point does Facebook receive the login information for your Instagram.
You’re the only one who can grant access tokens. Some tokens are granted for single use, while others are granted for recurrent use until deactivated (location sharing on your smartphone, for example).
Who uses OAuth?
There are plenty of large companies that provide OAuth services, which is a testament to how widely the standard has become adopted. Some of the major providers are:
- Amazon
- AOL
- Bitly
- Dailymotion
- Etsy
- Goodreads
- Google App Engine
- Microsoft
- Netflix
- Tumblr
- Vimeo
- Wordpress
- Yahoo!
There are plenty of other services, too. But as you can see, OAuth is a tried-and-true way of protecting your personal information while also allowing you to conveniently share it between services [2].
How does OAuth differ from other forms of authentication?
There are a few other authentication standards that are commonly used, but OAuth is quite a bit different than them.
SAML
SAML (Security Mark-up Language) is an umbrella standard that’s used primarily to manage single sign-on processes. Single-sign-on is used mostly in federal and corporate networks, although some libraries may have it as well. It’s where a user logs in to a portal and can access all enterprise-wide information. So, you can log in to a corporate portal and have access to company information, like financial data or memos.
SAML was designed to provide security for single sign-on. It authenticates that the user is someone who’s authorized to have access to information in the portal. When authenticated, SAML gives the user an access token for a single session. SAML doesn’t manage the exchange of data between third-parties, which makes it less useful for apps.
OpenID
You might often see OAuth compared to OpenID. Like SAML, OpenID is used primarily to authenticate someone’s identity, not to authorize data exchanges. OpenID allows you to create a single login account that you can use for a variety of websites that work in conjunction. So if you use two different websites that collaborate with each other, you may be able to create one OpenID that works for both websites [3].
Know that OAuth can provide both authorization and authentication. It enables you to share information from one service to another, but some OAuth services may implement protections that require you to log in to an account to prove your identity.
What’s the difference between OAuth 1 and OAuth 2?
OAuth 2.0 was a major upgrade over the first version of OAuth. Many companies provided input for how OAuth 2.0 could improve over its predecessor, including Yahoo!, Facebook, Salesforce, Microsoft, Twitter, and Google.
OAuth 1 was developed primarily for websites. OAuth 2.0 was made more compatible for use by both websites and apps. The second version also allows for a greater variety of access tokens, like having short-lived tokens and long-lived refresh tokens [4].
Is OAuth guaranteed to protect all of my information?
No authorization or authentication standard is guaranteed to protect your information. If your information is available online, it’s susceptible to being stolen. If hackers breach a server of any service that you use, they could potentially take your login information or personal information, like name, address, and credit card information.
The best way to protect yourself online is to create complex passwords that hackers won’t be able to guess. You should also change your passwords frequently (multiple times per year) so if there’s a data breach, hackers will obtain only your outdated login information. They won’t be able to use your old password to log in to your accounts. Using a virtual private network (VPN) is another great way to protect your privacy.
What makes OAuth great is that it restricts how many third-parties know your passwords. No, that doesn’t mean your personal information is 100% safe. But, by reducing how many entities have your passwords, you’ll lessen the chance that your passwords will get compromised.
[1] TechTarget.com; OAuth
[2] Wikipedia.com; List of OAuth providers
[3] Ubisecure.com; The Difference between SAML 2.0 and OAuth 2.0
[4] OAuth.com; Short-lived tokens with Long-lived authorizations
