I have previously introduced a plugin that adds Bit.ly link shortening capabilities to the Known sharing tool.

I just wanted to post a quick update to note that I have now added full OAuth2 support to the plugin.

Previously, integration was provided by the Generic Access Token, which meant that you could only have one Bit.ly account associated with an install. With OAuth2, each user on a given Known site will be able to link to their own bit.ly accounts (with their own vanity urls if they wish).

Pretty neat!

» Visit the project on Github...

LinkedIn-Logo-02I was doing some work on a client website the other day, when the OAuth login code I was using to provide “log in via linkedin” support inexplicably stopped working. It would seem that linkedin had a (temporary) problem with their OAuth1 api.

A quick google, and I found that LinkedIn’s OAuth 1 api has been superseded, and I feared that it had finally been switched off. Since there was no word from LinkedIn, and I needed to get functionality working for my client, I rewrote the connector.

This plugin provides “Login via LinkedIn” functionality to Elgg 1.8, enjoy!

» Visit the project on Github…

failwhaleIt seems like just the other day when I had to change a whole bunch of my passwords thanks to LinkedIn having it’s password database stolen by crackers, and now I’m having to do it again. This time it was Twitter that dropped the ball, but I am at least grateful that they’ve publicised the incident so widely.

Username/Password systems suck, I’ve written about this before. We should, as an industry, aim to move past them as quickly as possible, and it’s nice to see some attempts at this (although, a lot of those attempts are attempts to centralise identity in one form or another).

Like most people, I did recycle passwords on a number of services, and yes I know this was bad, but I only have a limited space in my head and I don’t enjoy having to remember long strings of alphanumeric characters. The main issue I’m having with this latest breach, other than the hassle of having to go around and change a bunch of passwords again (which is largely my fault I admit), is that Twitter, like Facebook and Google, can be used as a way to log into other services via OAuth.

This is very handy, and means that you can quickly sign on to a 3rd party service without having to create yet another password to remember. However, the downside, is that this central identity MUST be secure. Facebook and Google both add extra security to their accounts by having 2-factor authentication systems in place, so, when you access your account via a new device, you have to go through an extra security challenge – typically, entering a code sent to your phone or from a key generator app.

Twitter, on the other hand, doesn’t have this extra level of security. This means that the crackers could have access to not only your twitter account, but also any 3rd party service you’ve used twitter to log in with.

This is a big deal.

Personally, I think that any service that provides OAuth logins to other services, but doesn’t provide 2-factor authentication, is being somewhat irresponsible, and I really hope that Twitter fixes this with the utmost urgency. I for one will be using my Google account more…