It’s great that OAuth is finally catching on. It was a long time coming. Signing on to other sites using your OpenId makes the web a much easier place to navigate and deal with. However, the process needs clarity.
I know that the application using OAuth for sign in cannot access my password. But does the NON-developer really get that? Because someone might simulate an OAuth login and ask for a password so they can get into your account. This has been brought up by others before.
The public needs to understand that they aren’t asked for a password when they are logged into their OpenID provider like Twitter. But they should log in from the correct URL so that spoofs/phishing attempts won’t work.
Also, what does the developer get access to? A username or more? Twitter and Facebook need to make it VERY clear what data EXACTLY sites are able to access when they hook into their Authorization systems.
People will trust an app once it gets popular. Which is not a good thing. Because someone will misuse the power granted them. Sooner or later. Just look at what was happening behind the scenes with two VERY POPULAR Firefox plugins that you would think were well scrutinized by many developers.
If a major security breach happens, the trust that took so long for OAuth to gain could be lost overnight.
In fact, OAuth is a great step for now. But wouldn’t login and authentication live better in the browser? You define some basics like a username, some profile info. Maybe a social graph. All in your browser. Perhaps with some data hooked into the cloud. Then you can register at a site using Firefox. Something along the lines of a turbo charged Weave.