Two-factor authentication, where – in addition to your username and password – you use a code from an app, device or text message to log in, is a great way to improve the security of a user account. I’ve mentioned it a few times previously and it is supported by an increasing number of web sites.
Google is one such site, and, when enabled, most of its services that require you to sign-in will also ask you for a code from the Google Authenticator app, or from a text message or phone call. I say ‘most’ and not all because there are some exceptions, namely when using Gmail over IMAP and Google Talk. For these services, you have to create an ‘application specific password’ which you use instead of your regular password to log in. Although these passwords can’t be used to change your password, and can be revoked at any time, it’s still less secure than using your actual password and a code from the authenticator.
Thankfully, Google is working on a solution to this. It already uses a protocol called OAuth to allow third-party web sites to access your details without needing to share your password, as do many other sites like Twitter, Facebook, Foursquare, Instagram, Evernote and Dropbox. It has now extended OAuth support to IMAP and XMPP (XMPP is the protocol behind Google Talk, also known as Jabber). This means that, when using Gmail with an email client such as Thunderbird, rather than entering a username and password directly into Thunderbird, it will instead pop open a browser window. Thunderbird need never know your password. What’s more, this browser window will also allow a security code from an authenticator app to be entered too, so there would be no need for the ‘application specific password’ workaround.
This will help to remove one of the biggest stumbling blocks that discourage people from adopting two-factor authentication. Right now, I have 23 application specific passwords on my Google account, although this is fewer than in the past as more iPhone apps now use OAuth rather than a simple username and password. Hopefully, once more email and chat programs support OAuth over these protocols, I will need even fewer.