You are really asking the wrong question 🙂 OAuth isn't primarily used for protecting the user, but for protecting the service provider (access to the API.) OAuth is actually making the situation worse by fooling users that their "password" is secure. Users might be tempted to use the same password for multiple services - because a password is "secure" - and that's basically a bad idea. If you really want to improve the security, just use a separate password for API / 3rd party access. Make sure that this API access password is different from the normal login password. An age old technique ... If you need to keep the manageability of the API, combine it with xAuth or OAuth. This will make passwords more secure and the login process for 3rd party apps more seamless (when using xAuth) - and even offer access for non-browser devices (home appliances, whatever.) The most important thing is to use as many passwords as possible and to encourage users and support them to do so. Using the same password for Twitter, Facebook, GMail and the Playstation Network and maybe even your banking site might have horrible consequences :-}