People have gotten a bit sensitive about internet security and privacy. “Mobile apps, web-APIs, and Cloud Services – yes, I like and use them, but … is my data really secure there? Can I control what happens to my data and who can access it?” These and many related questions are top-of-mind for many cloud and mobile users. And, who can blame them? With the recent incidents of compromised accounts and stolen passwords, these types of questions are more than justified.
Organizations that offer mobile apps and cloud services have to address these questions of their users. These organizations are no longer only web startups, Google and Facebook. Today, the business of almost every industry is transforming into a digital business. Businesses across the different industries thus need to think about information security. To differentiate, more and more traditional businesses increasingly create digital services for their customers.

An example: Sarah uses the mobile app of her car insurance to register a claim for a minor accident. On the mobile app of her insurance company, she first has to authenticate by entering her username and password. Because entering passwords is cumbersome, the mobile app saves the credentials on the mobile.

A second example: Tim wants his tweets from Twitter to appear on LinkedIn automatically to stay in touch with his business contacts. To realize this functionality, LinkedIn would need to have access to Tim’s Twitter account. The simplest solution would be to provide LinkedIn with the credentials of Twitter, so LinkedIn can directly access Tim’s tweets.

However, both “solutions” would be quite a security risk, since Sarah’s password is saved unprotected on the mobile, and Tim’s password is provided to another cloud service. Both instances are examples of the “Password Anti-Pattern”. In practice, this solution cannot be used.

What should be used instead, is OAuth 2.0, a framework for HTTP-based access delegation.

Learn more about OAuth2.0.

The Password Anti Pattern

Also published on Medium.

Matthias Biehl

As API strategist, Matthias helps clients discover their opportunities for innovation with APIs & ecosystems and turn them into actionable digital strategies. Based on his experience in leading large-scale API initiatives in both business and technology roles, he shares best practices and provides both strategic and practical guidance. He has stayed a techie at heart and at some point, got a Ph.D. Matthias publishes a blog at api-university.com, is the author of several books on APIs, and regularly speaks at technology conferences.