On Monday, Google announced that IMAP/SMTP and XMPP would be getting a security boost in the form of OAuth 2.0. The transition comes as the company depreciates older standards (OAuth 1.0a) on the GMail and Google Talk services.
Ryan Troll, a member of Google’s Application Security Team, said in a blog post that the changes are part of a long term plan to support additional mechanisms to protect user information.
Google started using OAuth more than a year ago, as a way to enhance the security of the authentication process. On Google’s APIs, OAuth 2.0 allows access to Google’s two-factor authentication features as well, allowing developers flexibility in the levels of security offered by a given app.
“When clients use OAuth 2.0, they never ask users for passwords. Users have tighter control over what data clients have access to, and clients never see a user's password, making it much harder for a password to be stolen. If a user has their laptop stolen, or has any reason to believe that a client has been compromised, they can revoke the client’s access without impacting anything else that has access to their data,” Troll wrote.
Access to OAuth 2.0 on XMPP (Google Talk) and IMAP/SMTP (GMail) is available now. As mentioned, support OAuth 1.0a is ending. Developers are asked to update their applications quickly in order to avoid problems.
Documentation for using OAuth 2.0 to access Google APIs can be found here.