Fixing OAuth

Loren Brichter explains why Twitter’s consideration of going to an OAuth-only authentication system is a problem, and offers some solid solutions to fix OAuth’s most glaring problem, which is that it currently at a core level requires that the user authenticate using their web browser. The heart of his proposal lies around changing that requirement from “web browser” to “authentication gateway” that each Operating System could then provide an API for:

One added bonus of implementing OS-level “blessed” authentication gateways is that the OS vendor can use every trick in the book to prevent phishing. They can use secret APIs to make sure key strokes aren’t logged and proxy settings haven’t been compromised. They can also implement a system allowing users to validate the authenticity of the authentication gateway itself.

While I hadn’t given the OAuth situation much thought before, I have the exact same problem with it that Loren has: requiring a web browser as the one and only authentication mechanism basically turns each application into a designated Man-in-the-Middle. It really doesn’t do anything more than add a step for any ill-meaning application to hijack your login credentials.