It’s official: Eran Hammer is leaving the IETF OAuth working group. I quote from his blog:
“To be clear, OAuth 2.0 at the hand of a developer with deep understanding of web security will likely result is a secure implementation. However, at the hands of most developers – as has been the experience from the past two years – 2.0 is likely to produce insecure implementations.”
That’s what I felt: OAuth 2.0 is not just adding options for more secure authentication, it also adds more insecure options, which are likely to be used. Including pages asking you for your passwords and transmitting them in plain text. And that – not only in my eyes, as it seems – is a huge drawback.
Disclosure: I wrote my bachelor’s thesis on authentication methods.