In Koliseo we don’t ask for usernames and passwords. Let me tell you why.
In our typical day we get up in the morning and scan our emails, maybe answer some. We connect to Twitter, Facebook or Google+ and socialize a bit. We do this during our commute time, or after breakfast, or before breakfast, or while sleeping. Without even starting the day, we are already using up to five different usernames and passwords. And that’s before we start connecting to services that Do Real Work.
There are hundreds of different websites out there and we want to use them all, but there is not enough space in a single mind to store those many passwords, leaving as available options to write them down (scary), reuse them (insecure) or going with a service like LastPass (risky).
Now, things don’t have to be this way. Standards like OpenID and OAuth2 make it possible to sign in using credentials from an authorization provider, using your GMail account to buy your tickets in Koliseo. This is not about one less username and password in the world, but more about hundreds of attendees per event that do not need to memorize Yet Another Password. For each event organized, our platform has helped to avoid hundreds of security leaks.
OAuth also includes may improvements out of the box: ReCaptcha? Check. Rainbow attacks? Check. Password recovery link? Check. Password recovery e-mail buried as spam? Check. Suddenly your website has transformed one month of bugfixes into one week of integration.
If you want to join us and contribute to a more secure Internet but find the draft hard to swallow, check out The OAuth Bible by the Mashape team. It’s a no-fluff-just-stuff approach to the spec for those looking for the practical approach.