14 DAY TRIAL // In recent months, Google has been upping its security practices across its properties. HTTPS connections and two-step authentication are just some of the measures take to ensure that Google users and their data stay safe.
Now Google is turning its attention to developers building on top of Google APIs and products and is urging them to start adopting the modern OAuth standard to make sure their apps support two-step authentication out of the box.
"By now, many of you have seen our recent announcement regarding 2-step verification for Google Accounts. It’s an optional way of protecting your Google Account from unauthorized access, providing a level of security beyond that of a password alone," Jeffrey Posnick, Google Developer Relations, wrote.
"If your code uses AuthSub or OAuth, then you don’t have to do anything special to accommodate users who have opted-in to 2-step verification," he explained.
"ClientLogin, however, does not fare as well for accounts that have 2-step verification enabled," he added.
Currently, app developers have three ways of enabling their users to log into their Google accounts. AuthSub and OAuth enable users to let apps access their accounts and data without actually revealing their credentials to anyone but Google.
The OAuth standard is emerging as the best way of enabling authentication and data access in web apps and is fast becoming widely used. AuthSub offers much of the same functionality but is restricted to Google.
However, Google also supports a third way of providing authentication, ClientLogin, in which the app supplies the user name and password provided initially by the user.
This method is being deprecated mostly because of security concerns. But there is now a second reason why you should drop ClientLogin and opt for the standard OAuth, two-step authentication won't work out of the box.
Since the login process in AuthSub and OAuth is handled by Google any change in the interface and process is opaque to the developer or third-party app.
Those using ClientLogin though will have to request their users to create an app-specific password. This is the only way to access Google accounts via desktop apps, like email clients, or any other apps that use a custom login UI.
A much better alternative, Google says, would be to simply implement OAuth, preferably OAuth 2.0 which has started being supported in the Google APIs.