Tag Archives: identity

Improving user safety in OAuth flows through new OAuth Custom URI scheme restrictions

Posted by Vikrant Rana, Product Manager

OAuth 2.0 Custom URI schemes are known to be vulnerable to app impersonation attacks. As part of Google’s continuous commitment to user safety and finding ways to make it safer to use third-party applications that access Google user data, we will be restricting the use of custom URI scheme methods. They’ll be disallowed for new Chrome extensions and will no longer be supported for Android apps by default.

Disallowing Custom URI scheme redirect method for new Chrome Extensions

To protect users from malicious actors who might impersonate Chrome extensions and steal their credentials, we no longer allow new extensions to use OAuth custom URI scheme methods. Instead, implement OAuth using Chrome Identity API, a more secure way to deliver OAuth 2.0 response to your app.

What do developers need to do?

New Chrome extensions will be required to use the Chrome Identity API method for authorization. While existing OAuth client configurations are not affected by this change, we strongly encourage you to migrate them to the Chrome Identity API method. In the future, we may disallow Custom URI scheme methods and require all extensions to use the Chrome Identity API method.

Disabling Custom URI scheme redirect method for Android clients by default

By default, new Android apps will no longer be allowed to use Custom URI schemes to make authorization requests. Instead, consider using Google Identity Services for Android SDK to deliver the OAuth 2.0 response directly to your app.

What do developers need to do?

We strongly recommend switching existing apps to use the Google Identity Services for Android SDK. If you're creating a new app and the recommended alternative doesn’t work for your needs, you can enable the Custom URI scheme method for your app in the “Advanced Settings” section of the client configuration page on the Google API Console.

User-facing error message

Users may see an “invalid request” error message if they try to use an app that is making unauthorized requests using the Custom URI scheme method. They can learn more about this error by clicking on the "Learn more" link in the error message.

User-facing error example

Developer-facing error message

Developers will be able to see additional error information when testing user flows for their applications. They can get more information about the error by clicking on the “see error details” link, including its root cause and links to instructions on how to resolve the error.

Developer-facing error example

Related content

https://developers.googleblog.com/2022/02/making-oauth-flows-safer.html

Source: Google for Developers Blog - News about Web, Mobile, AI and Cloud

Credential Manager beta: easy & secure authentication with passkeys on Android

Posted by Diego Zavala, Product Manager, and Niharika Arora, Android Developer Relations Engineer

Today, we are excited to announce the beta release of Credential Manager with a finalized API surface, making it suitable for use in production. As we previously announced, Credential Manager is a new Jetpack library that allows app developers to simplify their users' authentication journey, while also increasing security with support of passkeys.

Authentication provides secure access to personalized experiences, but it has challenges. Passwords, which are widely used today, are difficult to use, remember and are not always secure. Many applications and services require two-factor authentication (2FA) to login, adding more friction to the user's flow. Lastly, sign-in methods have proliferated, making it difficult for users to remember how they signed in. This proliferation has also added complexity for developers, who now need to support multiple integrations and APIs.

Credential Manager brings support for passkeys, a new passwordless authentication mechanism, together with traditional sign-in methods, such as passwords and federated sign-in, into a single interface for the user and a unified API for developers.

image showing end-to-end journey to sign in using a passkey on a mobile device — *End-to-end journey to sign in using a passkey*

With Credential Manager, users will benefit from seeing all their credentials in one place; passkeys, passwords and federated credentials (such as Sign in with Google), without needing to tap three different places. This reduces user confusion and simplifies choices when logging in.

image showing the unified account selector that support multiple credential types across multiple accounts on a mobile device — *Unified account selector that support multiple credential types across multiple accounts*

Credential Manager also makes the login experience simpler by deduping across sign-in methods for the same account and surfacing only the safest and simplest authentication method, further reducing the number of choices users need to make. So, if a user has a password and a passkey for a single account, they won’t need to decide between them when signing in; rather, the system will propose using the passkey - the safest and simplest option. That way, users can focus on choosing the right account instead of the underlying technology.

image showing how a passkey and a password for the same account are deduped on a mobile device — *A passkey and a password for the same account are deduped*

For developers, Credential Manager supports multiple sign-in mechanisms within a single API. It provides support for passkeys on Android apps, enabling the transition to a passwordless future. And at the same time, it also supports passwords and federated sign in like Sign in With Google, simplifying integration requirements and ongoing maintenance.

Who is already using Credential Manager?

Kayak has already integrated with Credential Manager, providing users with the advantages of passkeys and simpler authentication flows.

"Passkeys make creating an account lightning fast by removing the need for password creation or navigating to a separate app to get a link or code. As a bonus, implementing the new Credential Manager library also reduced technical debt in our code base by putting passkeys, passwords and Google sign-in all into one new modern UI. Indeed, users are able to sign up to Kayak with passkeys twice as fast as with an email link, which also improves the sign-in completion rate."
– Matthias Keller, Chief Scientist and SVP, Technology at Kayak

Something similar is observed on Shopify.

“Passkeys work across browsers and our mobile app, so it was a no-brainer decision for our team to implement, and the resulting one-tap user experience has been truly magical. Buyers who are using passkeys to log in to Shop are doing so 14% faster than those who are using other login methods (such as email or SMS verification)”
– Mathieu Perreault, Director of Engineering at Shopify

Support for multiple password managers

Credential Manager on Android 14 and higher supports multiple password managers at the same time, enabling users to choose the provider of their choice to store, sync and manage their credentials. We are excited to be working with several leading providers like Dashlane on their integration with Credential Manager.

“Adopting passkeys was a no-brainer for us. It simplifies sign-ins, replaces the guesswork of traditional authentication methods with a reliable standard, and helps our users ditch the downsides of passwords. Simply put, it’s a big win for both us and our users. Dashlane is ready to serve passkeys on Android 14!”
– Rew Islam, Director of Product Engineering and Innovation at Dashlane

Get started

To start using Credential Manager, you can refer to our integration guide.

We'd love to hear your input during this beta release, so please let us know about your experience integrating with Credential Manager, using passkeys, or any other feedback you might have:

Source: Android Developers Blog

Managed Android devices must upgrade to Android Device Policy during March 2023

What’s changing

In 2019, we announced that a new Android management client, Android Device Policy, would replace the legacy Google Apps Device Policy client. We’re now in the final stages of this upgrade.

All devices with the Google Apps Device Policy will lose access during March 2023 if they have not already upgraded. Existing Google Apps Device Policy app users must switch to Android Device Policy before then to continue syncing work data. Note that, per our last update, the new user registration flow on the legacy Google Apps Device Policy will be blocked and users may see errors during the registration process as of January 2022. Admins can act directly from the alert in the Admin console to identify users who need to upgrade.

Visit the Help Center to learn more about migrating to Android Device Policy and our previous announcement for more information.

Getting started

Admins: Admins can find devices which may need to act in the Admin console. Visit our Help Center to learn more about the differences between Android Device Policy and Google Apps Device Policy. Different devices may need to take different steps to upgrade:

Advanced management devices:

Find advanced management devices by going to Admin console > Mobile devices and filtering for Type: Android and Management level: Advanced.
Determine which of these devices are currently managed by the Google Apps Device Policy app and support the Android Device Policy app (i.e. devices with Android 6+ and support for a work profile)
Send these instructions to your users to help them migrate to Android Device Policy.

Basic management devices:

Find basic management devices by going to Admin console > Mobile devices and filtering for Type: Android and Management level: Basic.
Instruct users of these devices to upgrade the Android OS to version 6.0 Marshmallow or later.

End users: Affected users can visit our Help Center to learn how to transition devices from Google Apps Device Policy to Android Device Policy.

Rollout pace

Devices on the old agent will lose access during March 2023.
Android Device Policy is available now and all users should upgrade to avoid disruption.

Availability

This change impacts Google Workspace customers who use basic and advanced mobile management.

Resources

Source: Google Workspace Updates

Google Workspace Updates Weekly Recap – August 12, 2022

New updates

Unless otherwise indicated, the features below are fully launched or in the process of rolling out (rollouts should take no more than 15 business days to complete), launching to both Rapid and Scheduled Release at the same time (if not, each stage of rollout should take no more than 15 business days to complete), and available to all Google Workspace and G Suite customers.

Delegate access to a shared inbox using a group address

You can now give an entire Google Group access to your Gmail account through mail delegation. With this feature, delegated users can read, send, and delete messages on the account owner's behalf. We hope this will enable teams to more effectively process incoming requests and tasks via a single shared email address. | Available to Business Starter, Business Standard, Business Plus, Enterprise Standard, Enterprise Plus, Education Fundamentals, Education Plus, Frontline, Nonprofits, and legacy G Suite Basic and Business customers only. | Learn more.

Granular controls for app allowlisting in the Google Workspace Marketplace

Admins can now choose which Google Workspace Marketplace apps are available to be installed by users in a particular department (OU) or group by managing Marketplace apps on their allowlist. Previously, admins could only manage the allowlist for an entire domain. Additionally, the Marketplace apps access settings, Allow all apps, Allow selected apps, and Block all apps, can now be set for your entire organization or for an OU or group. This new functionality provides a solution when only a subset of domain users need permissions to install certain Marketplace apps. Examples include Chat apps required for your Engineering organization and IT security group or Classroom add-ons required for high-school teachers. | Available to Business Starter, Business Standard, Business Plus, Enterprise Essentials, Enterprise Standard, Enterprise Plus, Education Fundamentals, Education Plus, Frontline, Nonprofits, and legacy G Suite Basic and Business customers only. | Learn more.

Seamlessly delete subsets of Sites

Site editors can now delete a page with subpages and delete pages that were copied into another site during a partial site copy. | Roll out to Rapid Release began August 8, 2022; launch to Scheduled Release planned for August 29, 2022. | Learn more.

Previous announcements

The announcements below were published on the Workspace Updates blog earlier this week. Please refer to the original blog posts for complete details.

Office Building support for Working Locations

We’ve added the ability to select a specific office building as your working location. | Available to Google Workspace Business Standard, Business Plus, Enterprise Standard, Enterprise Plus, Education Fundamentals, Education Plus, Nonprofits, and legacy G Suite Business customers only. | Learn more.

Improving data privacy with Client-side encryption for Google Meet

We’ve added Workspace Client-side encryption to Google Meet, giving customers increased control over their data. | Available to Google Workspace Enterprise Plus, Education Standard, and Education Plus customers hosting client-side encrypted calls only. | Learn more.

Stronger protection for sensitive Google Workspace account actions

There are now stronger safeguards for sensitive actions taken in your Google Workspace account. These apply to actions that, when done by hijackers, can have far reaching consequences for the account owner or the organization it belongs to. | Learn more.

The Google Meet and Google Duo app icons are changing, additional information for Google Workspace users

As part of the announcement that we are upgrading the Duo experience to include all Google Meet features, users will now begin to see their app name and icon update to Google Meet. | Learn more.

Better location context for events and RSVPs in Calendar

We’ve made it even easier to use RSVPs in Google Calendar and let others know how you’re planning to join a meeting. | Available to Google Workspace Business Standard, Business Plus, Enterprise Standard, Enterprise Plus, Education Fundamentals, Education Plus, Education Standard, Teaching & Learning Upgrade, Nonprofits, and legacy G Suite Business customers only. | Learn more.

Improved notifications when editing Microsoft Office files in Docs, Sheets, and Slides

We’ve rolled out a series of improvements to the notifications you see when editing a Microsoft Office-formatted file with Office editing mode. | Learn more.

Unified experience for Gmail logs in BigQuery, configure your existing Gmail logs to route to Workspace logs

In the coming months, we will move the location of the existing Gmail logs in BigQuery to Google Workspace logs and reports in BigQuery. | Available to Google Workspace Enterprise Essentials, Enterprise Standard, Enterprise Plus, Education Plus, Education Standard customers only. | Learn more.

Google Meet call control for USB peripheral devices

We've introduced additional call control for Google Meet which will allow you to toggle between mute and unmute using headsets, speaker microphones, and other USB peripheral devices. | Learn more.

Control visibility of admin alerts with admin role privileges

There is a new control that allows super admins to create a custom rule which ensures only admins with the DLP privilege can see DLP alerts. | Learn more.

For a recap of announcements in the past six months, check out What’s new in Google Workspace (recent releases).