Pixsooz - Fotolia

Get started Bring yourself up to speed with our introductory content.

Can OAuth 2.0 strengthen authentication?

Security expert Michael Cobb explains what Open Authorization or OAuth 2.0 is, its pros and cons, and how it is different from bring your own identity.

What are the benefits of OAuth 2.0? How is it different from bring your own identity (BYOI)?

Bring Your Own Identity (BYOI or BYOID) is a concept, and Open Authorization or OAuth 2.0 is a means of implementing that concept.

Let me explain. People don't want to have to remember multiple usernames and passwords or think up new ones every time they sign up for a new site. BYOI, also known as social sign-on or federated authentication, aims to simplify this registration and login process by allowing visitors to use their existing social identities from sites such as Facebook, Twitter, LinkedIn or Google.

This approach to sharing digital authentication makes account registration and login easier and quicker -- a benefit to both users and site owners who are basically getting identity validation for free by outsourcing the security, privacy and compliance burdens associated with identity and access management (such as setting up registration pages or sending password reminders).

OAuth is one of the key standards for enabling BYOI; the others include OpenID, WS-Fed and SAML. OAuth is an open standard aimed at simplifying authorization and access to protected data by giving access to it while safeguarding the owner's account credentials. It's not really associated with any one company, and because it's relatively easy to implement, it has become a popular mechanism for facilitating the sharing of data between applications. It enables end users to authorize third-party access to their data held on other servers without sharing their credentials, which allows them to share information such as pictures and tweets across different services. For example, Facebook can publish an individual's tweets on their Facebook page without Facebook requiring access to their entire Twitter account. This delegation of control to individual users is why BYOI and OAuth are so exciting.

OAuth 2.0 is the next iteration of the OAuth federation protocol and is not backwards compatible with OAuth 1.0. This latest version mainly focuses on making implementation even easier and simplifying communications between the client, server and content provider. It also standardizes some extensions that have become popular such as xAuth introduced by Twitter. Another key change is that all OAuth data transfers must now take place over SSL.

While BYOI provides single sign-on capabilities to site visitors, some users worry they will be trading convenience for privacy, so it is good practice for Web masters to make BYOI an option rather than a requirement. This will also solve the problem of an OAuth provider service going down or situations where a user does not want to share their OAuth provider data with a particular site or application.

Ask the Expert!
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now! (All questions are anonymous.)

Next Steps

Join the discussion: The pros and cons of OAuth 2.0.

This was last published in December 2014

Dig Deeper on Web authentication and access control