Neil Turner's Blog

Blogging about technology and randomness since 2002

OAuth and two-factor authentication

Steel butterfly

Two-factor authentication, where – in addition to your username and password – you use a code from an app, device or text message to log in, is a great way to improve the security of a user account. I’ve mentioned it a few times previously and it is supported by an increasing number of web sites.

Google is one such site, and, when enabled, most of its services that require you to sign-in will also ask you for a code from the Google Authenticator app, or from a text message or phone call. I say ‘most’ and not all because there are some exceptions, namely when using Gmail over IMAP and Google Talk. For these services, you have to create an ‘application specific password’ which you use instead of your regular password to log in. Although these passwords can’t be used to change your password, and can be revoked at any time, it’s still less secure than using your actual password and a code from the authenticator.

Thankfully, Google is working on a solution to this. It already uses a protocol called OAuth to allow third-party web sites to access your details without needing to share your password, as do many other sites like Twitter, Facebook, Foursquare, Instagram, Evernote and Dropbox. It has now extended OAuth support to IMAP and XMPP (XMPP is the protocol behind Google Talk, also known as Jabber). This means that, when using Gmail with an email client such as Thunderbird, rather than entering a username and password directly into Thunderbird, it will instead pop open a browser window. Thunderbird need never know your password. What’s more, this browser window will also allow a security code from an authenticator app to be entered too, so there would be no need for the ‘application specific password’ workaround.

This will help to remove one of the biggest stumbling blocks that discourage people from adopting two-factor authentication. Right now, I have 23 application specific passwords on my Google account, although this is fewer than in the past as more iPhone apps now use OAuth rather than a simple username and password. Hopefully, once more email and chat programs support OAuth over these protocols, I will need even fewer.

One Comment

  1. I use Two-Factor Authentication across a lot of my accounts. I feel a lot more secure when I can telesign into my account. If you have that option available to you use it, it is worth the time and effort to have the confidence that your account won’t get hacked and your personal information isn’t up for grabs. It would be nice to see more of the leading companies in their respective verticals start giving their users the perfect balance between security and user experience. I know some will claim that 2FA makes things more complicated, but the slight inconvenience each time you log in is worth the confidence of knowing your info is secure. I’m hoping that more companies start to offer this awesome functionality. To me this should be a prerequisite to any system that wants to promote itself as being secure.