April 23, 2014

New Security Measures Will Affect Older (non-OAuth 2.0) Applications

There is nothing more important than making sure our users and their information stay safe online. Doing that means providing security features at the user-level like 2-Step Verification and recovery options, and also involves a lot of work behind the scenes, both at Google and with developers like you. We've already implemented developer tools including Google Sign-In and support for OAuth 2.0 in Google APIs and IMAP, SMTP and XMPP, and we’re always looking to raise the bar.

That's why, beginning in the second half of 2014, we'll start gradually increasing the security checks performed when users log in to Google. These additional checks will ensure that only the intended user has access to their account, whether through a browser, device or application. These changes will affect any application that sends a username and/or password to Google.

To better protect your users, we recommend you upgrade all of your applications to OAuth 2.0. If you choose not to do so, your users will be required to take extra steps in order to keep accessing your applications.

The standard Internet protocols we support all work with OAuth 2.0, as do most of our APIs. We leverage the work done by the IETF on OAuth 2.0 integration with IMAP, SMTP, POP, XMPP, CalDAV, and CardDAV.

In summary, if your application currently uses plain passwords to authenticate to Google, we strongly encourage you to minimize user disruption by switching to OAuth 2.0.


  1. If there is nothing more important than making sure that users stay safe, why do you only support AUTH=PLAIN and not AUTH=CRAM-MD5 or AUTH=SCRAM or any other more complex challenge/response authentication model that make it possible to do mutual authentication and channel binding without revealing the password?

  2. ive had the following used to hack me.along with development app.sdk17,Apache files downloaded into my phone without my permission.thank u david dumetz .id like to think something can be done.9169046059 if anyone knows.

  3. Yea, so now Mozilla Thunderbird doesn't work anymore out-of-the-box...


You are welcome to contribute comments, but they should be relevant to the conversation. We reserve the right to remove off-topic remarks in the interest of keeping the conversation focused and engaging. Shameless self-promotion is well, shameless, and will get canned.

Note: Only a member of this blog may post a comment.