Security Experts:

Google Announces New Accounts Sign-in Rules

Google on Monday announced the rollout of a new Accounts sign-in page and of a series of updates to the policies that 3rd-party Single Sign-On (SSO) providers should comply with.

Starting on April 5, 2017, users will benefit from an updated experience when securely signing into their accounts, courtesy of a new Google Accounts login page. The new design, Google says, is meant to make the browser login experience consistent across computers, phones and tablets.

This change, Google also announced, is expected to impact organizations that use third-party applications within their networks, as well as those using a third-party SSO provider. “We recommend contacting your developer(s) or SSO provider to see if any updates are necessary,” Google says.

In a separate announcement, the Internet giant revealed that the changes affect Google and 3rd-party applications on iOS, mobile browsers on iOS and Android, and web browsers (Chrome, Firefox and other modern browsers).

Starting April 5, users of 3rd-party SSO providers will be better informed on the account they’re authenticating as well as the permissions they’re granting to applications. Android applications using the standard authentication libraries are already prompting users to select appropriate account information, meaning that these changes won’t impact them as well, the company reveals.

“It’s important that your users are presented with account information and credential consent, and apps should make this process easy and clear. One new change that you may now see is that only non-standard permission requests will be presented in the secondary consent screen in your application,” Google explains.

At the moment, app permissions requested by an application are displayed together, but users should have greater visibility into permissions being requested beyond the standard “email address” and “profile” consent, Google says. If additional permissions are requested by the app, a secondary consent screen is displayed.

Users will also have greater visibility into the 3rd-party application’s name and will also be able to click-through to get the developer’s contact information. Thus, application developers should use public-facing email addresses so that users could easily contact them for support or assistance.

“If your application may also be used by G Suite customers that employ a 3rd-party Single Sign-On (SSO) service, we recommend that you utilize the hd and/or login_hint parameters, if applicable. Even with the changes to the 3rd-party SSO auth flow, these parameters will be respected if provided. You can review the OpenID Connect page in the documentation for more information,” Google also notes.

G Suite users may notice redirection when signing into 3rd-party SSO providers as well. When no accounts are signed in, the user will be prompted to confirm the account after signing in to the 3rd-party SSO provider, which is meant to ensure that they’re signed in with the correct G Suite account. Users automatically opt into “email address” and “profile” consent, but will be redirected back to the application once they consent to any additional non-standard permissions that may be requested.

If the user is already signed in to one or more accounts matching the hd hint, the Account Chooser will display all the accounts and the user will have to select the appropriate G Suite account. Next, the user will be redirected to the 3rd-party SSO provider, then back to the application.

Related: Phished Gmail Accounts Immediately Accessed by Hackers

Related: Google Patches Serious Account Recovery Vulnerabilities

view counter