Loading Profile...
Oath vs passwords
Please use OAuth or other ways of authentication on the social network itself instead of the password antipattern
I’m frustrated
13
people have this problem
I have this problem, too!
Tell me when someone solves it.
The more people who report this problem, the more it gets noticed.
The more people who report this problem, the more it gets noticed.
The company has a solution in progress.
Create a customer community for your own organization
Plans starting at $19/month
-
Inappropriate?We're working on that as we speak (well, type). In the meantime it will comfort you to know that we never store passwords; they are just used that one time to authenticate you with your social network. Clearly it's not the way to go, though; oAuth is our way forward.
I’m encouraged
-
-
Inappropriate?Yes, please count my vote against the password anti-pattern too.
For example: Flickr already have an authorization flow on their API, you guys should use it when available. Twitter has an OAuth in beta too now, I am really looking forward to the implementation of this methods of adding networks to poken without asking for my 3rd party credentials.
Until then I don't feel like recommending the product to anyone but myself because I don't like to educate other people that it is ok to give away their passwords for a website just because they assure you it is not stored.
Thanks!!
I’m thankful
-
Inappropriate?3 month...
Note that this is not only about trusting you, it is also about teaching the users not to type passwords to wrong sites.
BTW: you could also think about a "web auth" scheme for some of the less open sites. Just like google is doing that for google apps 4 domains: ask the user to include some HTML code to a web page (blog) you want to verify ownership. Then you just need to maintain a list of services and url patterns (you clearly want to pick a URL where only profile owner can type, not RSS portals or comment sections).
Gruss
Bernd
I’m sad
-
Inappropriate?another sad vote for this, we know products and websites have priorities, but this should be a top one for Poken
I’m sad
-
Inappropriate?I know you're frustrated (and sad) but your points are well taken. In recent weeks we've made major security upgrades, including moving to FaceBook Connect instead of asking usernames/passwords for FaceBook, our most popular network. We have also just updated the site to use HTTPS in its sensitive places. In the meantime the rest of our work has been directed toward enhancing usability, which is by far our area of greatest user critique. We're getting there, slowly but surely!
I’m happy to be making progress
-
Inappropriate?Bryan, how are you planning to fix the problem of the initial Poken request being plain HTTP? As long as auto-login exists, I just need to sniff this packet and I can log in as that user. Without auto-login, the password is still sent in cleartext until the login page enforces (redirects to) a HTTPS connection.
I’m undecided
-
Inappropriate?Sorry for the delay in my response! As of our site update last week, the initial Poken request is valid one-time only. Therefore, even if the URL is sniffed, it won't provide any useful information. Does this address your concern?
-
Inappropriate?I've just bought a Poken, after one of my friends recommended it. I now have buyer's regret after encountering this issue — guess I should have looked here first.
Asking for my passwords to all the social networks I'd like to share sounds at best clueless, and at worse a phishing attack. After being caught out by stupid Twitter apps tweeting on my behalf, I don't trust you one iota. Sorry, but I'm very, very unimpressed.
I’m annoyed
1 Comment
Add a comment
This solves the problem
-
I wrote up some more details of why I feel so strongly about this against a screenshot on Flickr. warning my friends against buying. Six months is a long time to wait for Oauth, or dropping the collection of *our* passwords and until this issue is resolved, I recommend Pokens are best avoided: http://www.flickr.com/photos/psd/3755... -
Inappropriate?hmmmmm ... any progress in this topic (or most other important topics from getsatisfaction) ??
This is _not_ the way to make me as cutomer satisfied ... month and month of waiting with nearly no progress.
I’m frustrated & getting angry
-
Inappropriate?Dear all
We are moving full speed into OAuth! It will be in effect withing the next 3-4 weeks. For situations where we will not have implemented it yet then, or where OAuth is not available, we will not ask for passwords at all.
Best,
Simone
I’m happy
-
Inappropriate?I got a Poken the other day and am glad I 'just' have to wait a week or two for OAuth. Although in the case of Poken, I would find OpenID much more appropriate. Just identification, while OAuth is for interaction between sites.
For instance, through OAuth I am giving Poken.com access to my Friendfeed Wall and contacts, without a clear message what that authorisation is used for.
For now, people will have to settle for my website and mail adresses!
I’m undecided
1 Comment Add a comment
This solves the problem
-
with Poken.com, I of course ment doyoupoken.com ;)
-
-
Inappropriate?dear bernd
i'm not quite sure what you are refering to? we have the new site up since the end of last week, and are asking our users who had their Flickr account added in the old version of the site, to delete it from their poken card, and re-add it. we have changed the way networks are added to the poken card (via the secure OAuth), that is why you have to re-add it now, in order for the flickr pic to then appear above your poken card in the timeline.
the same goes for twitter. you should delete it and re-add it, in order for the widget to be activated in your pokenHUB, and in order for your last tweet to then appear above your poken card in the timeline.
hope this clarified things?
cheers!
simone1 Comment Add a comment
This solves the problem
-
I hope this can clarify Bernd's problem, one I share:
The OAuth page on Flickr gives this description.
"By authorizing this link, you'll allow DoYouPoken to:
Access your Flickr account (including private content)
Upload, Edit, and Replace photos and videos in your account
Interact with other members' photos and videos (comment, add notes, favorite)
Delete photos and videos from your account"
Beneath this text, Flickr leaves room for the developer (casu quo: Poken) for a description why these rights are needed.
"DoYouPoken provides the following description:
You need to allow Poken application to be able to add Flickr on your card."
Clearly, that's not something we users are easily granting. I have noted before, OpenID would me a more logical approach: easier to implement and safer for us, users. In this case, Poken is asking specifically for all possible rights on my Flickr account while it is not clear why Poken should have the right to delete photos. -
Inappropriate?As Joris points out it seems rather strange that DoYouPoken would require "delete" access permissions...
Wat's the reason behind this, Simone? -
Inappropriate?Dear all
We are aware of the issue in the Flickr OAuth Messaging raised by Joris and Bernd. You are correct, and thanks for pointing this out!
We are only using OAuth for READ access to a User's Flickr account and will modify our API method for accessing Flickr so that Flickr's messaging will accurately reflect our actual level of account access (ie Poken just needs READ access, and we cannot WRITE, or DELETE information based on this access).
This will need about a week until it is in production - thank you for bearing with us and for all your feedback!
1 person says
this solves the problem
EMPLOYEE
