Web Access Management: Google ups the ante

Its been an interesting 2 weeks for Google and web access management. Last week they announced SMS 2FA support for google apps. Today they announced support for OAuth as well as the protocol to authorise 3rd party applications.

Up until now you would have received a redirect to a Google login page where you had to put in your username / password. These redirects made my spider-sense go tingly as I do double and triple takes combing these pages for signs that they’re malicious, illegitimate, password-stealing, phishing sites. Even when I’m the one who initiated the transaction. Go figure.

It seems like OAuth has really taken off with service providers online, achieving traction that other federation protocols (SAML, Liberty, WS-Security) dream of having.

So now google apps (if I were a business user) provides similar authentication security to the online banking sites I use. What will be the next evolution for financial services or is SMS 2FA enough?

Here’s the Computerworld coverage of OAuth

ITnews article for SMS 2FA

One Comment
  1. It doesn’t really buy you much in the dekostp access scenario. A malicious app can still look at user’s cookies & fake the correct authorization request. You could require a full login at every authorize, but that pretty much breaks any Just Works user perception, which is a strong motivator for these sorts of apps.

Leave a Reply

Your email address will not be published. Required fields are marked *