Hello, It is true that if someone steals an application-specific-password, this person would be able to access the user's data. However, this person won't be able to revoke or change the main password which is still possible using 2-factor authentication. If a user notices that data has been accessed without his authorization, he still has the possibility to change his password and revoke access to the generated application-specific-passwords.
However, when developing a desktop application, it is advised to use 3-Legged OAuth <http://code.google.com/apis/gdata/docs/auth/oauth.html#Examples> or OAuth 2.0 <http://code.google.com/apis/accounts/docs/OAuth2.html> as the authorization mechanism as this prevent the user from entering his password or an application-specific-password into a third-party application. Best, Alain On Mon, Sep 5, 2011 at 8:23 AM, seizo <[email protected]> wrote: > I have a big question about the two-factor authentication. > > I think the two-factor authentication is a great security measure as far as > we use it in the browser. > But I think it is not secure when we use it desktop applications. > > [The reason] > In case of two-factor authentication, these four things are indispensable. > (A)Google ID (Gmail address) > (B)Its password > (C)verification code > (D)phone > > It is great! Even though (A)(B)(C) are stolen, the google account is safe, > because (D) is needed to get a new (C)verification code. > > > Meanwhile, when we use Gmail with a third party desktop application, we > need these two things. > (A)Google ID (Gmail address) > (E)application-specific passwords > > Imagine that (A)and(E) are stolen except (B), Our Google accounts are under > controle by someone else. > > Is this more secure than before? > > I'd like to know what do you think of. > > -- > You received this message because you are subscribed to the Google > Groups "Google Contacts, Shared Contacts and User Profiles APIs" group. > To post to this group, send email to > [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://code.google.com/apis/contacts/community/forum.html > -- Alain Vongsouvanh -- You received this message because you are subscribed to the Google Groups "Google Contacts, Shared Contacts and User Profiles APIs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://code.google.com/apis/contacts/community/forum.html
