Security Experts:

Google Boosts Security For GMail and Google Talk With OAuth 2.0

On Monday, Google announced that IMAP/SMTP and XMPP would be getting a security boost in the form of OAuth 2.0. The transition comes as the company depreciates older standards (OAuth 1.0a) on the GMail and Google Talk services.

Ryan Troll, a member of Google’s Application Security Team, said in a blog post that the changes are part of a long term plan to support additional mechanisms to protect user information.

Google started using OAuth more than a year ago, as a way to enhance the security of the authentication process. On Google’s APIs, OAuth 2.0 allows access to Google’s two-factor authentication features as well, allowing developers flexibility in the levels of security offered by a given app.

“When clients use OAuth 2.0, they never ask users for passwords. Users have tighter control over what data clients have access to, and clients never see a user's password, making it much harder for a password to be stolen. If a user has their laptop stolen, or has any reason to believe that a client has been compromised, they can revoke the client’s access without impacting anything else that has access to their data,” Troll wrote

Access to OAuth 2.0 on XMPP (Google Talk) and IMAP/SMTP (GMail) is available now. As mentioned, support OAuth 1.0a is ending. Developers are asked to update their applications quickly in order to avoid problems.

Documentation for using OAuth 2.0 to access Google APIs can be found here

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.