Google allows the use of OAuth authentication to fetch email, but also the use of a lengthy "app password" generated by Google instead of an account password. Yahoo/AT&T also allows the use of a "secure mail key" in lieu of OAuth - the "secure mail key" seems the same as an "app password". How does OAuth provide more security, and what other advantages does OAuth offer over the "app password"?
Add a comment
|
1 Answer
They are similar, but:
App passwords are managed manually (copy-pasted, etc.) with each site having its own mechanism. OAuth2 tokens are issued more or less automatically in a more or less standard way.
(In theory, OAuth2 also has flows which allow limited devices (e.g. smart TVs with tedious on-screen keyboards) to obtain tokens without much input at all – you log in through your computer to get a numeric PIN, enter that PIN on your smart toaster or fridge or whatever, and now it has an OAuth2 token without the need to enter a long app password.)
At most services, all app passwords identically grant the same wide variety of permissions. OAuth2 tokens only grant the specific access that you've confirmed (e.g. only Gmail, or only Drive, or only Calendar).
(Some services such as GitHub allow specifying scopes even for app passwords, but then you still need to know exactly which ones you'll need, and I would bet most people just click "All of them, thanks" and then use that single app password everywhere.)
OAuth2 uses a two-tier system, with a long-lived "refresh" token that is only sent to the authentication server, and a short-lived "access" token that the client replaces every X days.
Depending on how the service was designed, this might actually guard against some security compromises on the service's side (e.g. a compromised IMAP server could collect forever-valid app passwords, but it cannot actually obtain OAuth2 refresh tokens – only temporary access tokens).
App passwords work with any app. OAuth2 requires each developer to register their app as a "client" and allows Google or Yahoo to impose whatever silly development policies they want this week.
answered Mar 9, 2021 at 20:39
-
-
One thing I would add: Recently, ACME and Let's Encrypt normalized the idea of server certificates being automatic, short-lived, and disposable (as opposed to being a yearly chore of manually generating CSRs, copy-pasting them one by one into the issuer's website, then copy-pasting certificates back). In my opinion, OAuth2 does the same for passwords. When dealing with "app passwords" you see them as an added hassle that this snowflake service insists on. When dealing with OAuth2, you usually just see a pretty login flow and it looks like a normal thing. Commented Mar 9, 2021 at 21:27
-
(As an IRC user I also see parallels to how accounts work on IRC now and how they used to work in the past. Where previously logging in to your account involved sending your password to a chat bot (and hoping you didn't accidentally send it to someone else!), now it is completely integrated into the IRC clients' user interface as well as the protocol itself. The password hasn't stopped being a password but the way you deal with it has changed.) Commented Mar 9, 2021 at 21:31