New Security Measures Will Affect Older (non-OAuth 2.0) Applications

April 23, 2014


Link copied to clipboard
By Antonio Fuentes, Google Identity Team

There is nothing more important than making sure our users and their information stay safe online. Doing that means providing security features at the user-level like 2-Step Verification and recovery options, and also involves a lot of work behind the scenes, both at Google and with developers like you. We've already implemented developer tools including Google Sign-in and support for OAuth 2.0 in Google APIs and IMAP, SMTP and XMPP, and we're always looking to raise the bar.

That's why, beginning in the second half of 2014, we'll start gradually increasing the security checks performed when users log in to Google. These additional checks will ensure that only the intended user has access to their account, whether through a browser, device or application. These changes will affect any application that sends a username and/or password to Google.

To better protect your users, we recommend you upgrade all of your applications to OAuth 2.0. If you choose not to do so, your users will be required to take extra steps in order to keep accessing your applications.

The standard Internet protocols we support all work with OAuth 2.0, as do most of our APIs. We leverage the work done by the IETF on OAuth 2.0 integration with IMAP, SMTP, POP, XMPP, CalDAV, and CardDAV.

In summary, if your application currently uses plain passwords to authenticate to Google, we strongly encourage you to minimize user disruption by switching to OAuth 2.0.

Antonio Fuentes is a Product Manager working on features to keep Google users safe. He has also worked on tools for third party developers looking to build on Google infrastructure.

Posted by Louis Gray, Googler