Pixsooz - Fotolia

Get started Bring yourself up to speed with our introductory content.

Can OAuth 2.0 strengthen authentication?

Security expert Michael Cobb explains what Open Authorization or OAuth 2.0 is, its pros and cons, and how it is different from bring your own identity.

What are the benefits of OAuth 2.0? How is it different from bring your own identity (BYOI)?

Bring Your Own Identity (BYOI or BYOID) is a concept, and Open Authorization or OAuth 2.0 is a means of implementing that concept.

Let me explain. People don't want to have to remember multiple usernames and passwords or think up new ones every time they sign up for a new site. BYOI, also known as social sign-on or federated authentication, aims to simplify this registration and login process by allowing visitors to use their existing social identities from sites such as Facebook, Twitter, LinkedIn or Google.

This approach to sharing digital authentication makes account registration and login easier and quicker -- a benefit to both users and site owners who are basically getting identity validation for free by outsourcing the security, privacy and compliance burdens associated with identity and access management (such as setting up registration pages or sending password reminders).

OAuth is one of the key standards for enabling BYOI; the others include OpenID, WS-Fed and SAML. OAuth is an open standard aimed at simplifying authorization and access to protected data by giving access to it while safeguarding the owner's account credentials. It's not really associated with any one company, and because it's relatively easy to implement, it has become a popular mechanism for facilitating the sharing of data between applications. It enables end users to authorize third-party access to their data held on other servers without sharing their credentials, which allows them to share information such as pictures and tweets across different services. For example, Facebook can publish an individual's tweets on their Facebook page without Facebook requiring access to their entire Twitter account. This delegation of control to individual users is why BYOI and OAuth are so exciting.

OAuth 2.0 is the next iteration of the OAuth federation protocol and is not backwards compatible with OAuth 1.0. This latest version mainly focuses on making implementation even easier and simplifying communications between the client, server and content provider. It also standardizes some extensions that have become popular such as xAuth introduced by Twitter. Another key change is that all OAuth data transfers must now take place over SSL.

While BYOI provides single sign-on capabilities to site visitors, some users worry they will be trading convenience for privacy, so it is good practice for Web masters to make BYOI an option rather than a requirement. This will also solve the problem of an OAuth provider service going down or situations where a user does not want to share their OAuth provider data with a particular site or application.

Ask the Expert!
SearchSecurity expert Michael Cobb is ready to answer your application security questions -- submit them now! (All questions are anonymous.)

Next Steps

Join the discussion: The pros and cons of OAuth 2.0.

This was last published in December 2014

Dig Deeper on Web authentication and access control

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Does your organization use OAuth 2.0 or BYOI? What benefits has it experienced?
We are aware of BYOI but currently prefer OAuth 2.0. Aside from the refresh token that we use for security reasons when accessing unencrypted content, OAuth 2.0 simplifies communications between the client, server, and content provider.

We use OAuth 2.0 for all single-page javascript apps, native desktop apps, native mobile apps, traditional web apps, and server-side apps where you have a user who’s not directly involved granting you permission to do something on their behalf.