OAuth 2.0 has been the authentication protocol of choice at Google for a while now. It's also the preferred choice by most other big websites. Google made a commitment to switch to OAuth 2.0 for all of its APIs more than a year ago and has since made good on its promise.
Now, it's
moving to the next step, adopting OAuth 2.0 for APIs beyond the web, specifically, the IMAP/SMTP and XMPP APIs, the former being used by email clients, the latter by chat clients compatible with XMPP.
One of the great benefits of OAuth 2.0 is that users don't need to provide passwords to anyone but Google. Desktop or mobile clients don't need to know or store your Google password and now they won't have to.
Users that have had 2-step verification enabled already had to provide app-specific passwords for email clients such as Thunderbird if they wanted to use Gmail or chat clients for Google Talk.
Now, they won't have to provide passwords at all, which not only makes it easier to use 2-step verification, but also improves the security of those not using it.
More often than not, passwords for major accounts are not "hacked" but acquired from other places. One source can be other sites, with poorer security, where you use the same password. Less common but possible is access to passwords stored by applications.
The move to OAuth 2.0 for IMAP/SMTP and XMPP also means the deprecation of older authentication APIs. XOAUTH for IMAP/SMTP based on OAuth 1.0 is being deprecated, it will work in Gmail up until OAuth 1.0 support is cut off. X-GOOGLE-TOKEN and SASL PLAIN for XMPP are also being deprecated.
Google, obviously, encourages developers to move to OAuth 2.0, but it's going to be a while before you'll be seeing the feature in your apps.
Find us on Google+
No user comments yet.
Be the first to express your opinion!
