Adding OAuth 2.0 support for IMAP/SMTP and XMPP to enhance auth security
    
    
    
    
     By Ryan Troll, Application Security Team
      
      Cross-posted with the Google
      Online Security Blog
By Ryan Troll, Application Security Team
      
      Cross-posted with the Google
      Online Security Blog 
      
      Our users and developers take password security seriously and so do we. Passwords alone have
      weaknesses we all know about, so we’re working over the long term to support additional
      mechanisms to help protect user information. Over a year ago, 
we
      announced a recommendation that 
OAuth
      2.0 become the standard authentication mechanism for our APIs so you can make the
      safest apps using Google platforms. You can use OAuth 2.0 to build clients and websites that
      securely access account data and work with our advanced security features, such as 
2-step
      verification. But our commitment to OAuth 2.0 is not limited to web APIs.
      Today we’re going a step further by adding OAuth 2.0 support for 
IMAP/SMTP
      and 
XMPP.
      Developers using these protocols can now move to OAuth 2.0, and users will experience the
      benefits of more secure OAuth 2.0 clients.
      
      When clients use OAuth 2.0, they never ask users for passwords. Users have tighter control
      over what data clients have access to, and clients never see a user's password, making it much
      harder for a password to be stolen. If a user has their laptop stolen, or has any reason to
      believe that a client has been compromised, they can revoke the client’s access without
      impacting anything else that has access to their data.
      
      We are also announcing the deprecation of older authentication mechanisms. If you’re using
      these you should move to the new OAuth 2.0 APIs.
      
Our team has been working hard since we announced our support of OAuth in 2008 to
      make it easy for you to create applications that use more secure mechanisms than passwords to
      protect user information. Check out the 
Google Developers
      Blog for examples, including the 
OAuth
      2.0 Playground and 
Service
      Accounts, or see 
Using OAuth 2.0 to Access Google
      APIs.
      
      
      
Ryan Troll has been with Google since 2010, and now works with the Application
      Security Team, focusing on OAuth and 2-Step Verification. When not at work, he spends time
      with his family, reads, and occasionally plays poker.
      
      Posted by Scott Knaster,
      Editor