13 February 2010

Open letter to Google: Use of tokens for 3rd party management

Dear Google,

I'm a user who is usually paranoid level skeptical about entering username / password in 3rd party software. Though from time to time I see there is no other choice (ie: Sync outlook Contacts with Gmail Contacts) and even in some cases I'm encouraged by Google to use 3rd party software (ie: Other IM Clients).

Even though I change my password sets quite often, Using 3rd party is same as compromising your Gmail account. Following that all other services that you are using your gmail address for communication - even banking - will be in danger. Of course this can't be acceptable.

For solving this issue, I advise the use of 3rd Party Access Management with the use of Tokens instead of password. Tokens are already being used between Google Services and for Google talk using the Gaia Authentication. This same method can be extended to 3rd parties with increased manageability. A user should be able to generate a token for a 3rd party, select the TTL and set the Google services that should be accesible (ie:

By this authentication ability, users will be much more in control of their 3rd party software. In case of a service early termination, user can revoke the token and would be safe. Also for Desktop installed Google software like Google Desktop - Google Talk, this method would be introducing another layer of account protection against Trojen - Key Logger based attacks.

For the advantages I mentioned above, I kindly request the introduction of Token Based Authentication and 3rd Party Management.

Your devoted user,

Kaya Ozalp

ps: I also sent a copy of this to Google as a feedback.

1 comment:

Kaya Ozalp said...


and google has tokens =)

Europe trip

The photos from my trip to europe - 4 countries in 15 days, pretty good huh =) hope you enjoy