As of June, Google will be implementing a new change in how sign-ins work that should make theft of an account holder's credentials much more difficult for bad actors. Outlined via Google's security blog, the company is effectively moving away completely from the use of embedded browser framework and other similar authentication automation platforms for sign-ins.
The move is meant to stop 'man in the middle' attacks from being used. When used with embedded frameworks — which usually appear on the user's screen as a Google sign-in for apps — those attacks lead to stolen user credentials for logging in. In extreme cases, that can also lead to stolen two-factor authentication credentials as well as the more commonly hijacked passwords and email addresses.
Although the implementation will impact mostly developers, users could initially see issues stemming from the change. That's because many web developers and others have used embedded frames for site log-ins and not everybody has moved away from the practice. In places where alterations haven't been made, a blocked sign in is going to do exactly what it sounds like.
Overall, that shouldn't create too big a problem since developers are being told so far in advance but that doesn't mean things will go off without a hitch. Users will want to be aware of this, just in case.
Add more security and then make it even more secure
Google has already made headway in stemming off a variety of attacks in other areas of its services over the past several years. That includes via account sign-in challenges, spam filters, and safe browser warnings.
More recently, the company has started to focus its efforts on moving away from passwords and toward biometrics, among other authentication methods. One notable example of that is its push to ensure all Android smartphones running Android 7.0 Nougat or newer are FIDO2-certified.
Those efforts have also applied to other hardware ecosystems such as Chrome OS.
As of this month, users on a Chromebook or other Chrome gadget can move past the standard two-factor authentication methods to the more easily verifiable and safe use of hardware keys. Those aren't just any hardware keys either since those typically take the form of USB plug-in gadgets. Instead, users can now use their Android smartphone as the link with no cables at all to verify who they are upon logging in.
The latest change may seem to be almost an afterthought by comparison to those earlier methods of securing an account and keeping it that way. In reality, Google says it's actually all but impossible to discern the difference between a real log-in and a hijacked log-in frame when browser embedded frameworks are used.
To that end, because there aren't many developers still using log-ins driven by those methods, it's easier for the search giant to simply stop allowing them rather than finding a way to detect the problem. Google is advising developers who might still use the framework to move to browser-based OAuth authentication instead. The method will be blocked starting in June.