Twitter Switches to OAuth This Morning

The Twitter API will make a final change for third-party app developers this morning (8am Pacific time) that will drop Basic Auth for OAuth. Users of applications that haven’t kept up with Twitter news will find themselves suddenly out in the cold when Twitter starts rejecting their status updates. Fortunately, most popular Twitter apps–such as TweetDeck, Twitterrific, Seesmic, and Twitter for Android—have already done this.

The move by Twitter, as explained by Joab Jackson form PCWorld, is to better secure Twitter consumers from spoofing and other identity hijacks. He writes,

On a page explaining the reasons behind the change, Twitter gave several reasons that OAuth is superior to Basic Auth. The new protocol won’t ask users to provide the password directly to third-party sites. It makes spoofing of applications more difficult. It will help Twitter fight spam, and it paves the way for more trusted services.

When a user signs onto a third-party application with OAuth, the app itself doesn’t get access to the user name and password. Instead, Twitter itself will provide a sign-in module, which in turn provides a key to the application provider should the log-in succeed.

Identity hijacking is a huge problem with a lot of social networking—and has been a gigantic scourge of e-mail. In fact, the ability to spoof the origin of a message has become the core hallmark of spam within communities. Even systems like Twitter must find ways to protect themselves, and their users, from numerous bogus accounts created for the pure purpose of delivering unsolicited advertisements. I know I receive at least two requests a week from throwaway accounts (which, by the time I check them out, Twitter catches and disables) but without better authentication, spammers could instead pretend to be you (or your friends.)

The change from Basic Auth to OAuth, as the Basic Auth shutdown announcement explains, will enable Twitter to keep your username and password (login credentials) out of the hands of the third-party app. This means that you and Twitter—and only you and they—get to control your access to Twitter. It will prevent a dishonest third-party application from surreptitiously storing your username and password and passing it along so that some other application can pretend to be you.

That’s the upshot of this change.

Most people won’t even notice it, of course, if the applications they use have kept up with Twitter news.

However, being that there are still many obscure applications out there that use Twitter, we might see a flood of complaints and concerned troubleshooters today.