The emerging OAuth 2.0 web API authorisation protocol, already deployed by Facebook, Salesforce.com and others, is coming under increased criticism for being too easy to use, and therefore to spoof by malicious hackers.
"The OAuth community has made a big mistake about the future direction of the protocol," wrote Yahoo director of standards development Eran Hammer-Lahav in a blog post last week. Hammer-Lahav's criticism may carry more weight than those from the usual naysayer, because he is actually one of the creators of OAuth.

"What makes this more frustrating is that the people behind [OAUTH 2.0] are some of the brightest security minds on the Web. These guys know exactly what they are doing, and it's not like they don't care," Hammer-Lahav wrote. "They just gave up and decided that the best they can do is maintain the status quo. They are also representing a large and powerful coalition of big companies too lazy to work a little harder."

The link for this article located at Tech News World is no longer available.