Google is asking developers who build applications using Google APIs to update their apps to the latest OAuth 2.0 authorization protocol so that user log-ins will be as secure as possible in the future.
The OAuth 2.0 update initiative was announced by Antonio Fuentes of the Google Identity Team in an April 23 post on the Google Developers Blog.
“There is nothing more important than making sure our users and their information stay safe online,” wrote Fuentes. “Doing that means providing security features at the user-level like 2-Step Verification and recovery options, and also involves a lot of work behind the scenes, both at Google and with developers like you. We’ve already implemented developer tools including Google Sign-in and support for OAuth 2.0 in Google APIs and IMAP, SMTP and XMPP, and we’re always looking to raise the bar.”
As part of those continuing efforts, beginning in the second half of 2014 Google will “start gradually increasing the security checks performed when users log in to Google,” he wrote. “These additional checks will ensure that only the intended user has access to their account, whether through a browser, device or application. These changes will affect any application that sends a username and/or password to Google.”
To make those tighter protections a reality for users, wrote Fuentes, “we recommend you upgrade all of your applications to OAuth 2.0. If you choose not to do so, your users will be required to take extra steps in order to keep accessing your applications.”
OAuth 2.0 is an authorization protocol for all Google APIs that relies on Secure Sockets Layer (SSL) for security instead of requiring individual applications to do cryptographic signing directly, according to Google. The protocol allows applications to request access to data associated with a user’s Google account.
“The standard Internet protocols we support all work with OAuth 2.0, as do most of our APIs,” wrote Fuentes. “We leverage the work done by the IETF on OAuth 2.0 integration with IMAP, SMTP, POP, XMPP, CalDAV, and CardDAV.”
Google is suggesting that application developers make the needed changes soon so that user disruption with the apps is minimized, he wrote.
Authentication and authorization protocols for Google APIs, including OAuth 2.0, allow third-party applications to get limited access to a user’s Google account for certain types of activities, according to Google. Google+ Sign-In is another method, providing a simple way to let people use their Google credentials to sign in to Websites. Older methods, such as AuthSub, ClientLogin and OAuth 1.0, are out of favor and should also be upgraded to OAuth 2.0, according to Google.
Google is often busy helping developers and enterprises maintain the online security of their applications and customers.
In December 2013, Google reminded enterprise organizations and their business users about the security safeguards and options that are available to them if accounts are hacked or if mobile devices are lost or stolen. Using available tools from Google, IT administrators can peer into and control how their users’ accounts are working and make changes to recover stolen accounts. Also available are Android device-management tools that help organizations manage Android and Apple iOS smartphones and tablets using the Google Apps Admin console.
In 2013, Google also improved its methods for helping Website owners recover their sites from hackers and hijackers. The improvements included additional security tools so Webmasters can find information about security issues on their site in one place and pinpoint problems faster with detailed code snippets.
In February 2013, Google unveiled similar security information to assist account users overall in the event of hackers, spamming and account hijackings.
In March 2012, Google implemented another account security feature that lets users receive a monthly “account activity” report containing password-protected insights into their use of Google services. With the reports, users can track their Google account usage and be sure that their accounts are not being used by spammers and hackers.