New Security Measures Will Affect Older (non-OAuth 2.0) Applications
By Antonio
Fuentes, Google Identity Team
There is nothing more important than making sure our users and their information stay safe
online. Doing that means providing security features at the user-level like 2-Step
Verification and recovery options, and also involves a lot of work behind the scenes, both at
Google and with developers like you. We've already implemented developer tools including
Google Sign-in and
support for
OAuth
2.0 in Google APIs and IMAP, SMTP and XMPP, and we're always looking to raise the
bar.
That's why, beginning in the second half of 2014, we'll start gradually increasing the
security checks performed when users log in to Google. These additional checks will ensure
that only the intended user has access to their account, whether through a browser, device or
application. These changes will affect any application that sends a username and/or password
to Google.
To better protect your users, we recommend you upgrade all of your applications to OAuth 2.0.
If you choose not to do so, your users will be required to take extra steps in order to keep
accessing your applications.
The standard Internet protocols we support all work with OAuth 2.0, as do most of our APIs. We
leverage the work done by the IETF on OAuth 2.0 integration with IMAP, SMTP, POP, XMPP,
CalDAV, and CardDAV.
In summary, if your application currently uses plain passwords to authenticate to Google, we
strongly encourage you to minimize user disruption by switching to
OAuth
2.0.
Antonio Fuentes is a Product Manager working on features to keep Google users safe.
He has also worked on tools for third party developers looking to build on Google
infrastructure.
Posted by Louis Gray,
Googler
