People have gotten a bit sensitive about internet security and privacy. “Mobile apps, web-APIs, and Cloud Services – yes, I like and use them, but … is my data really secure there? Can I control what happens to my data and who can access it?” These and many related questions are top-of-mind for many cloud and mobile users. And, who can blame them? With the recent incidents of compromised accounts and stolen passwords, these types of questions are more than justified.
Organizations that offer mobile apps and cloud services have to address these questions of their users. These organizations are no longer only web startups, Google and Facebook. Today, the business of almost every industry is transforming into a digital business. Businesses across the different industries thus need to think about information security. To differentiate, more and more traditional businesses increasingly create digital services for their customers.
An example: Sarah uses the mobile app of her car insurance to register a claim for a minor accident. On the mobile app of her insurance company, she first has to authenticate by entering her username and password. Because entering passwords is cumbersome, the mobile app saves the credentials on the mobile.
A second example: Tim wants his tweets from Twitter to appear on LinkedIn automatically to stay in touch with his business contacts. To realize this functionality, LinkedIn would need to have access to Tim’s Twitter account. The simplest solution would be to provide LinkedIn with the credentials of Twitter, so LinkedIn can directly access Tim’s tweets.
However, both “solutions” would be quite a security risk, since Sarah’s password is saved unprotected on the mobile, and Tim’s password is provided to another cloud service. Both instances are examples of the “Password Anti-Pattern”. In practice, this solution cannot be used.
What should be used instead, is OAuth 2.0, a framework for HTTP-based access delegation.
Also published on Medium.