HP TECH TAKES /...

Exploring today's technology for tomorrow's possibilities

What is OAuth and How Does it Protect my Personal Information?

Zach Cabading

July 11, 2019

OAuth (pronounced “oh-auth”) is a technological standard that allows you to share information between services without exposing your password. It’s a widely-adopted standard that’s used by developers of websites and apps, and you probably use services every day that utilize OAuth.

How does OAuth work, and how does it protect your personal information? Let’s answer your questions.

The information-sharing dilemma

We have lots of digital accounts in the modern age. We have social media accounts, we have online bank accounts, we have online accounts at businesses and retailers, and we have accounts on our favorite websites. All of these digital accounts require that we set up a username and password.

Another aspect of our modern society is that many of our online services are integrated. For example, if you have a smartphone you can post your photos to Facebook. You can share a good blog post on Twitter. You can link payment apps, like Venmo, to your bank account. It seems as if all online services nowadays are designed to interact with other interfaces.

That’s where you risk your privacy being compromised. By enabling data sharing, you’re giving a third-party access to your private information.

Does that mean you shouldn’t link accounts? Nope! Standards like OAuth keep your personal information safe during data transfers between third-parties.

How OAuth works

What if one third-party service wants to use information that you have on another third-party service? So for example, you want to share one of your Instagram photos to Facebook. You’d think that Facebook would ask for your Instagram password so that it can retrieve the photos posted on there. Right?

That’s dangerous, though. The more you give away your passwords, the more likely it is that your passwords will get compromised. That’s where OAuth comes in.

OAuth, which stands for “Open Authorization,” allows third-party services to exchange your information without you having to give away your password.

OAuth tokens

OAuth uses a system of tokens. Well, they’re “access tokens,” to be correct. An access token gives one third-party source temporary access to a limited amount of your personal information on another third-party source [1].

So, in this Instagram-to-Facebook analogy, Facebook would ask for your permission for access to your Instagram. You approve the request. Facebook would then receive an access token for that single photograph on your Instagram account. Instagram would verify the token and grant Facebook access so it could retrieve the photo.

At no point does Facebook receive the login information for your Instagram.

You’re the only one who can grant access tokens. Some tokens are granted for single use, while others are granted for recurrent use until deactivated (location sharing on your smartphone, for example).

Who uses OAuth?

There are plenty of large companies that provide OAuth services, which is a testament to how widely the standard has become adopted. Some of the major providers are:

Amazon
AOL
Bitly
Dailymotion
Etsy
Facebook
Goodreads
Google App Engine
Instagram
LinkedIn
Microsoft
Netflix
Tumblr
Twitter
Vimeo
Wordpress
Yahoo!

There are plenty of other services, too. But as you can see, OAuth is a tried-and-true way of protecting your personal information while also allowing you to conveniently share it between services [2].

How does OAuth differ from other forms of authentication?

There are a few other authentication standards that are commonly used, but OAuth is quite a bit different than them.

SAML

SAML (Security Mark-up Language) is an umbrella standard that’s used primarily to manage single sign-on processes. Single-sign-on is used mostly in federal and corporate networks, although some libraries may have it as well. It’s where a user logs in to a portal and can access all enterprise-wide information. So, you can log in to a corporate portal and have access to company information, like financial data or memos.

SAML was designed to provide security for single sign-on. It authenticates that the user is someone who’s authorized to have access to information in the portal. When authenticated, SAML gives the user an access token for a single session. SAML doesn’t manage the exchange of data between third-parties, which makes it less useful for apps.

OpenID

You might often see OAuth compared to OpenID. Like SAML, OpenID is used primarily to authenticate someone’s identity, not to authorize data exchanges. OpenID allows you to create a single login account that you can use for a variety of websites that work in conjunction. So if you use two different websites that collaborate with each other, you may be able to create one OpenID that works for both websites [3].

Know that OAuth can provide both authorization and authentication. It enables you to share information from one service to another, but some OAuth services may implement protections that require you to log in to an account to prove your identity.

What’s the difference between OAuth 1 and OAuth 2?

OAuth 2.0 was a major upgrade over the first version of OAuth. Many companies provided input for how OAuth 2.0 could improve over its predecessor, including Yahoo!, Facebook, Salesforce, Microsoft, Twitter, and Google.

OAuth 1 was developed primarily for websites. OAuth 2.0 was made more compatible for use by both websites and apps. The second version also allows for a greater variety of access tokens, like having short-lived tokens and long-lived refresh tokens [4].

Is OAuth guaranteed to protect all of my information?

No authorization or authentication standard is guaranteed to protect your information. If your information is available online, it’s susceptible to being stolen. If hackers breach a server of any service that you use, they could potentially take your login information or personal information, like name, address, and credit card information.

The best way to protect yourself online is to create complex passwords that hackers won’t be able to guess. You should also change your passwords frequently (multiple times per year) so if there’s a data breach, hackers will obtain only your outdated login information. They won’t be able to use your old password to log in to your accounts. Using a virtual private network (VPN) is another great way to protect your privacy.

What makes OAuth great is that it restricts how many third-parties know your passwords. No, that doesn’t mean your personal information is 100% safe. But, by reducing how many entities have your passwords, you’ll lessen the chance that your passwords will get compromised.

[1] TechTarget.com; OAuth

[2] Wikipedia.com; List of OAuth providers

[3] Ubisecure.com; The Difference between SAML 2.0 and OAuth 2.0

[4] OAuth.com; Short-lived tokens with Long-lived authorizations

About the Author: Zach Cabading is a contributing writer for HP® Tech Takes. Zach is a content creation specialist based in Southern California, and creates a variety of content for the tech industry.

Disclosure: Our site may get a share of revenue from the sale of the products featured on this page.

Need help?

More about these products

Disclaimer

Prices, specifications, availability and terms of offers may change without notice. Price protection, price matching or price guarantees do not apply to Intra-day, Daily Deals or limited-time promotions. Quantity limits may apply to orders, including orders for discounted and promotional items. Despite our best efforts, a small number of items may contain pricing, typography, or photography errors. Correct prices and promotions are validated at the time your order is placed. These terms apply only to products sold by HP.com; reseller offers may vary. Items sold by HP.com are not for immediate resale. Orders that do not comply with HP.com terms, conditions, and limitations may be cancelled. Contract and volume customers not eligible.

HP’s MSRP is subject to discount. HP’s MSRP price is shown as either a stand-alone price or as a strike-through price with a discounted or promotional price also listed. Discounted or promotional pricing is indicated by the presence of an additional higher MSRP strike-through price

The following applies to HP systems with Intel 6th Gen and other future-generation processors on systems shipping with Windows 7, Windows 8, Windows 8.1 or Windows 10 Pro systems downgraded to Windows 7 Professional, Windows 8 Pro, or Windows 8.1: This version of Windows running with the processor or chipsets used in this system has limited support from Microsoft. For more information about Microsoft’s support, please see Microsoft’s Support Lifecycle FAQ at https://support.microsoft.com/lifecycle

Ultrabook, Celeron, Celeron Inside, Core Inside, Intel, Intel Logo, Intel Atom, Intel Atom Inside, Intel Core, Intel Inside, Intel Inside Logo, Intel vPro, Itanium, Itanium Inside, Pentium, Pentium Inside, vPro Inside, Xeon, Xeon Phi, Xeon Inside, and Intel Optane are trademarks of Intel Corporation or its subsidiaries in the U.S. and/or other countries.

In-home warranty is available only on select customizable HP desktop PCs. Need for in-home service is determined by HP support representative. Customer may be required to run system self-test programs or correct reported faults by following advice given over phone. On-site services provided only if issue can't be corrected remotely. Service not available holidays and weekends.

HP will transfer your name and address information, IP address, products ordered and associated costs and other personal information related to processing your application to Bill Me Later®. Bill Me Later will use that data under its privacy policy.

Microsoft Windows 10: Not all features are available in all editions or versions of Windows 10. Systems may require upgraded and/or separately purchased hardware, drivers, software or BIOS update to take full advantage of Windows 10 functionality. Windows 10 is automatically updated, which is always enabled. ISP fees may apply and additional requirements may apply over time for updates. See http://www.microsoft.com.

“Best All In One Printer” and “the easiest printer you’ve ever had to set up” from Wirecutter. ©2020 The Wirecutter, Inc.. All rights reserved. Used under license. https://www.nytimes.com/wirecutter/reviews/best-all-in-one-printer/

Get Marvel’s Avengers when you purchase HP gaming PCs with qualifying 9th gen or 10th gen Intel® Core™ i5, i7 and i9 processors. Redemption code will be sent out by email within 60 days of purchase. Limited quantities and while supply lasts. Offer valid thru 12/31/2020 only while supplies last. We reserve the right to replace titles in the offer for ones of equal or greater value. Certain titles may not be available to all consumers because of age restrictions. The Offer may be changed, cancelled, or suspended at any time, for any reason, without notice, at Intel’s reasonable discretion if its fairness or integrity affected whether due to human or technical error. The Offer sponsor is Intel Corporation, 2200 Mission College Blvd., Santa Clara, CA 95054, USA. To participate you must create an Intel Digital Hub Account, purchase a qualifying product during the redemption period, enter a valid Master Key, and respond to a brief survey. Information you submit is collected, stored, processed, and used on servers in the USA. For more information on offer details, eligibility, restrictions, and our privacy policy, visit https://softwareoffer.intel.com/offer/20Q3-19/terms.

© 2020 MARVEL. © Intel Corporation. Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries in the U.S. and/or other countries. Other names and brands may be claimed as the property of others.

The personal information you provide will be used according to the HP Privacy Statement (https://www8.hp.com/us/en/privacy/ww-privacy.html)

Welcome

Explore

Shop

Support