July 21, 2014

More Secure Gmail Authentication

Google has a new settings page that lets you enable or disable access to less secure apps.

"Some devices and apps use insecure sign-in technology to access your data. Choosing Disable prevents these less secure devices and apps from accessing your Google Account. Choosing Enable increases your chances of unauthorized account access but allows you to continue using these less secure devices and apps."



Many mail apps use insecure sign-in standards:

* the Mail app for iOS 6 or below
* the Mail app from Windows Phone 8.0 or earlier
* some built-in Android mail apps not developed by Google
* desktop mail clients like Microsoft Outlook and Mozilla Thunderbird.

If the access to less secure apps is disabled, you'll see a "Password incorrect" error when signing in and you can't set up a Google account on your device. "Google may block sign in attempts from some apps or devices that do not use modern security standards. Since these apps and devices are easier to break into, blocking them helps keep your account safer."

A Microsoft article explains that "Google has increased its security measures to block access to Google accounts after July 15, 2014 if those accounts are being set up or synced in apps and on devices that use Basic Authentication." Another article informs that "Windows Phone builds earlier than 8.10.12359.845 [Windows Phone 8.1] use Basic Authentication and therefore may be impacted. Windows Phone builds later than 8.10.12359.845 use Open Authentication (or OAuth) and therefore will not be impacted".

All Google products use OAuth 2.0, so if you use the desktop Gmail site, the mobile Gmail site or the mobile Gmail apps, you're not affected by this change. 90% of Apple devices are using iOS 7, so most iOS users are not affected. If you use Android mail apps built by OEMs like Samsung, the built-in mail app for Windows Phone or a desktop app like Outlook or Thunderbird, it's a good idea to make sure that the "enable" setting is checked on this page.

An article from April provides more information:
Beginning in the second half of 2014, we'll start gradually increasing the security checks performed when users log in to Google. These additional checks will ensure that only the intended user has access to their account, whether through a browser, device or application. These changes will affect any application that sends a username and/or password to Google.

To better protect your users, we recommend you upgrade all of your applications to OAuth 2.0. If you choose not to do so, your users will be required to take extra steps in order to keep accessing your applications.The standard Internet protocols we support all work with OAuth 2.0, as do most of our APIs. We leverage the work done by the IETF on OAuth 2.0 integration with IMAP, SMTP, POP, XMPP, CalDAV, and CardDAV.

In summary, if your application currently uses plain passwords to authenticate to Google, we strongly encourage you to minimize user disruption by switching to OAuth 2.0.

{ Thanks, Herin. }

1 comment:

  1. Thanks for your information, now in this new version there are so many new feature and bugs fix.



    สูตรบาคาร่า
    goldenslot

    ReplyDelete

Note: Only a member of this blog may post a comment.