Google and OAuth 2.0

Andrew Sutherland asutherland at asutherland.org
Mon Apr 28 21:53:33 UTC 2014


On 04/28/2014 05:41 PM, Andrew Sutherland wrote:
> Use of single-factor authentication (just a password) that is used by 
> both the user and all their applications is

(continuing the unfinished sentence): not great for security since it 
becomes hard/difficult to tell the actual user apart from the attacker.  
Specifically, this requires falling back on implicit second-factor 
authentication from the account setup.  This includes things like mobile 
numbers (which :BenB is quite reasonably reluctant to provide) and other 
email accounts.

Google has done some really amazing work in terms of detecting 
compromised accounts/suspicious accounts and dealing with this situation 
in a way that amounts to fallback 2-factor.  But it would be better for 
everyone if everyone was just using two-factor up front.  It avoids 
problems, it helps detect problems (you know which oauth token leaked 
and therefore where the security hole might be), it makes it easier to 
recover from problems (don't need to change your password on all of your 
devices), etc.

Andrew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/tb-planning/attachments/20140428/0a816783/attachment.html>


More information about the tb-planning mailing list