There’s a huge elephant in the room – that no one wants to admit is there.
Over the last year, a number of different services have emerged that ask users to share with them their username/password information for other services to support some sort of integration.
The core example of this is updating status messages across services. For example, today you can use FriendFeed to automatically have your FriendFeed posts shared with your Twitter account – but to do so, you have to share your Twitter account username/password with FriendFeed.
Another example is Ping.fm – which attempts to act as sort of a master hub for status information updates. Again, to use Ping.fm, you have to share with Ping.fm the username/password information for all of the other services you want it to update.
Unfortunately, these services are gradually educating consumers that it’s OK to share their username/password details with “intermediaries” – other service providers who are offering ancillary services. Doing so for status information doesn’t represent any significant financial risk – although, if a compromise were to occur, reputational damage certainly might result.
Clearly, we need an alternative approach – one that doesn’t require users to cough up their username/password credentials to another, somewhat unrelated service – which could represent a security exposure for those credentials.
Technologies exist to enable this capability without sharing credentials – but they’re more cumbersome for users and for the services that are trying to provide the intermediary services.
At the moment, we’re sliding down a slippery slope. Before something bad happens, there needs to be a serious focus on getting this right – shedding the current approach of sharing credentials with intermediaries and, rather, enabling new web services to perform as authorized proxies on behalf of authenticated users.