EcommerceBytes-NewsFlash, Number 750 - April 29, 2004     1 of 3

eBay's New Security System Takes Effect May 1

Email This Story to a Friend

eBay users who create new accounts with third-party services may be surprised by a new procedure beginning May 1. Certified developers will no longer ask for eBay User IDs and passwords. Instead, during the registration procedure, users will be taken to an eBay sign-in page. Once users sign-in to eBay and give their permission, eBay will send the vendor a token to confirm the user's identity.

The new system, which eBay is calling the Authentication and Authorization program, is part of a security measure that eliminates the need for eBay users to give their passwords to third-party services. Vendors have until May 1 to implement the new system and are reporting they've already made changes and are expecting a smooth transition for users.

"I don't anticipate any technical difficulties with it," said Gui Weinmann of, maker of auction-management software. "It's a pretty simple procedure that uses tokens instead of username/passwords and I'm surprised that this didn't happen sooner." Gui said the new token program makes things safer for eBay users, and it "puts the onus of protecting eBay passwords 100% back in eBay's lap, and that is a good thing. We know how to build secure applications and protect our sensitive information, but not everyone does."

In March, eBay scrapped one part of the new system. The plan called for the use of "hard" and "soft" tokens. Soft tokens were supposed to be a way to change the token without having user interaction, but vendors found it caused a slew of problems, and eBay quickly responded to vendor feedback.

MyStoreCredit, a service to drive repeat traffic to sellers' auctions and storefronts, was an early adopter of the system. "We realized that asking someone to give us their eBay password was like asking someone to give us their ATM password, so we moved to Auth-Auth as soon as we could," said Tabbatha Lawe, President, "There were many early problems, but for the last month or so the system has been highly stable and bug-free. I have no doubt that the move to Auth-Auth is better for the entire eBay community, and I'm certain it has opened up a whole new set of sellers to programs like ours."

The Auth Auth program required changes for desktop applications different than those for hosted systems. Hosted systems are Web-based and don't require users to download software, as opposed to desktop applications that run on the user's own computer.

Kevin Olayan of Foo Dog Software Inc. said he has already made the necessary changes to his "Poster Toaster" listing tool, which is a desktop application.

eBay requires all vendors join its developers programs, but some third-party services continue to "scrape" eBay data. Vendors of desktop applications that don't use eBay's API say they don't expect any problems. "As I understand it, this only applies to software which uses the eBay API," said one vendor. "My software doesn't use their API because it is far too costly and it would force me to double the price I charge my users just to pay their fees."

One concern voiced by some vendors about the new system is the user interface. When an eBay user signs up for a certified service, they are taken to an eBay sign-in page. eBay uses generic language that is very broad and somewhat intimidating, according to one vendor. Another said, "There might be some confusion for new users when they see the eBay signon page, but that is a usability issue not a technical issue."

In all cases, eBay members should ensure that the URL of the page they enter their passwords starts with

About the author:

Ina Steiner is co-founder and Editor of EcommerceBytes and has been reporting on ecommerce since 1999. She's a widely cited authority on marketplace selling and is author of "Turn eBay Data Into Dollars" (McGraw-Hill 2006). Her blog was featured in the book, "Blogging Heroes" (Wiley 2008). Follow her on Twitter at @ecommercebytes and send news tips to

You may quote up to 50 words of any article on the condition that you attribute the article to and either link to the original article or to
All other use is prohibited.