Authentication changes with 2-step verification

Wednesday, February 16, 2011 | 1:30 PM

Labels: , , ,

We recently an announced an advanced opt-in 2-step verification process to help make your Google Accounts significantly more secure. 2-step verification adds an extra layer of security to your Google Account by requiring unique “verification codes” in addition to your username and password at sign-in. This means that if your password is stolen, you still have an extra line of defense against a potential hijacker.

Enabling 2-step verification on a Google Account associated with an DFP Account may lead to an authentication issue when using the DFP API, which uses ClientLogin ClientLogin provides the authentication functionality used by the DFP API, and is not designed to ask for the verification codes in addition to the password. Therefore, APIs accessing this interface must instead use a special password called an application-specific password.

For 2-step verification users, the ClientLogin API will return an error indicating that the user needs to use an application-specific password if the user tries to login with his regular account password. When this happens the response will contain an extra field that indicates that the error was due to a missing 2-step verification code, and not incorrect credentials.


We recommend that your application detect this error and remind the user to use an application-specific password. The API doesn’t accept verification codes, but application-specific passwords can be created for an account that allow authentication without a verification code. These can be used in the ClientLogin API just like regular passwords, and they do not expire. To obtain an application-specific password, the user needs to log in to their Google Account and click on "Authorizing applications & sites ."

Under the application-specific passwords section, they should provide the name of the tool or application for which they wish to generate a password. The generated password will only be displayed once, and although it can’t be recovered later it can be revoked at any time.

Here’s what the generated password looks like:

To learn more about application-specific passwords, visit the Google Accounts Help Center Official Google Blog for the complete announcement.

As always, please post any questions to the DFP API Forum .

-- Adam Rogal, DFP API Team