There are two specific changes that we’ve heard that are being implemented. The first change - when a user has lost his or her password and if a Gmail account is accessed from a new computer, the user will have the option of receiving a text message with a new one time use pass key. They then enter that pass key into Gmail to authenticate themselves and lock out any bad users with access to the account.
The second change - Google is also possibly implementing a different version of OAuth for its contacts exporter (something often used by other services to import Gmail contacts). It’s likely to be OAuth Wrap, an easier to implement version of OAuth. If developers can be convinced to use it instead of harvesting and storing user credentials, there’s less of a security hole.
These changes are likely in response to the Chinese security incident from earlier this year. A secondary line of security for users would have avoided the Twitter documents leak from last year, which originally started with a guessed Gmail password and got out of control from there.
This is just a rumor and there's no confirmation from Google yet. We will keep you posted of any changes.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.