Friday, December 21, 2007

It's not just mashups

Web 2.0ish mash-ups seem to get all the attention for the (dubious) authentication model in which user's must provide their account credentials at some 3rd party site in order to allow the mashing site to access their data there.

If the data being pulled is inane or worthless, you might even be able to defend the model (until you realize how people reuse passwords across sites of different sensitivity).

Yodlee, Geezio, Mint, and Wesabe all use this 3rd party authentication model, but for financial data.

All profess to be 'obsessed with security'. Not surprising.

They all need to look at ID-WSF or OAuth.


precipice said...

Hey, thanks much for raising this issue -- it's important.

I'm one of the founders of Wesabe. Unlike all of the other companies you mentioned, we do *not* require you to give us your bank or credit card usernames, passwords, or account numbers in order to use our service. We allow you to upload a file downloaded from your bank -- in which case no software but the bank has your password -- or use one of our downloadable agents, the Wesabe Uploaders, which store your passwords on your own computer. In the Uploader case, the Uploader also strips out your account numbers before uploading your transaction data to us.

We participated in the development of OAuth -- take a look at the mailing list and you'll see us asking for more and better security requirements in the spec development process. We also contributed the "security considerations" portion of the OAuth spec, so that people would be clear about the security implications of using OAuth.

I agree that it would be great if banks and credit cards adopted a third-party authentication system like OAuth. However, I don't think they believe it is in their interest to do so. As a result, we've tried to engineer the most secure architecture we can in an environment where the data sources do not support these standards.

I'd be happy to talk about this more if you'd like -- feel free to drop me a line at Again, thanks for raising this important topic.

Marc Hedlund, Wesabe.

Jordan said...

As mashup technology becomes more commonplace and users expect different institutions to be able to spread their data around these types of technologies will grow in usage. Yodlee uses many existing OASIS security standards in our systems today.
The lack of adoption with using ID-WSF or OAuth isn’t coming from Yodlee (or Mint, etc). Yodlee is an innovative technology company and we are always pushing towards the best and most secure way to do things and we are able to implement quickly. The challenging is having the large financial institutions of the world understand that there is a compelling driver for them to support these news technologies. Give your bank’s customer care a call or an e-mail and socialize the idea with them. The sooner these types of technologies are supported in the financial industry the safer and happier we will all be.
Yodlee, Inc.