Its been an interesting 2 weeks for Google and web access management. Last week they announced SMS 2FA support for google apps. Today they announced support for OAuth as well as the protocol to authorise 3rd party applications.
Up until now you would have received a redirect to a Google login page where you had to put in your username / password. These redirects made my spider-sense go tingly as I do double and triple takes combing these pages for signs that they’re malicious, illegitimate, password-stealing, phishing sites. Even when I’m the one who initiated the transaction. Go figure.
It seems like OAuth has really taken off with service providers online, achieving traction that other federation protocols (SAML, Liberty, WS-Security) dream of having.
So now google apps (if I were a business user) provides similar authentication security to the online banking sites I use. What will be the next evolution for financial services or is SMS 2FA enough?
Here’s the Computerworld coverage of OAuth
ITnews article for SMS 2FA