OAuth is a type of single sign-on solution that is gaining popularity online. Single sign-on is the concept of authentication when a single logon event can be used to allow access into a collection of systems. This is different than traditional authentication where each system would require its own unique and local authentication. Single sign-on has been a standard element in company networks for decades. There have been many attempts to duplicate this concept on the Internet, but only now with the adoption of OAuth is that actually starting to becoming a reality.
OAuth is a way to share or borrow the authentication from one site to grant access to another site. Let’s call the first site a primary site. The primary site must support OAuth and allow its authentication to be shared by other secondary sites. Secondary sites must also support OAuth and then select which primary site’s authentications they will accept. The way OAuth works is:
1. You visit a secondary site and click on an offering to use a primary site’s authentication to access the secondary site.
2. This takes you to the primary site. If you do not have a current active session with the primary site, you are prompted to authenticate to the primary site.
3. With an active session to the primary site, you are prompted to confirm or accept the secondary site’s request to link to your account on the primary site.
4. Clicking to confirm this returns you to the secondary site where you now have access to that site.
Once OAuth has been confirmed on a secondary site, all future visits to that site will automatically log you in as long as you have a current active session with the primary site. The three most common or popular sites used as primaries are Facebook, Twitter, and Google, but there are dozens of other potential primary sites as well, including Amazon, Dropbox, Evernote, Flickr, LinkedIn, Microsoft, Netflix, PayPal, Tumblr, and Yahoo. Plus, there are numerous sites supporting OAuth to function as secondary sites.
OAuth is a huge convenience for users as it reduces the number of unique logon credential sets that you must keep track of. However, this is not necessarily a good security option. If the primary site’s authentication is a basic password only, then when your account is compromised on the primary site, the intruder automatically gains access to all the linked secondary sites as well.
By the way, the primary site will maintain a list of secondary sites that have been linked. This list is for your convenience when you want to disconnect an OAuth link, but an intruder can use it to follow your links to those secondary sites.
Only use OAuth to link sites back to a primary site if you have configured multi-factor or multi-step authentication on the primary site. Otherwise, you would be better served setting a long and complicated password for each site and putting up with the hassle of managing multiple difficult credential sets (see my white paper “Ten Steps to Better, Stronger Passwords” for guidance on this).
Excerpted from the Global Knowledge white paper, “Multi-Step Authentication and Why Should I Use It“.