Google is rolling out two security-related changes that are aimed at simplifying the process of getting 2-Step Verification (2SV) backup codes through a new page and approving permissions on the OAuth screen.
When setting up 2-Step Verification, Google issues 10 backup codes in case your phone and security keys are lost. They are entered after your username and password to confirm that it’s really you signing in.
There’s now a dedicated backup code page instead of a pop-up. It’s still accessed from the main 2-Step Verification list, with this change coming to Android, iOS, and the web.
Here, users can generate new backup codes or re-fresh for additional backup codes, and print or download the codes as before. Additionally, we’ve added a new option to delete your backup codes.
Meanwhile, Google is also tweaking the OAuth consent experience that you encounter when granting third-party apps access to Google Account data, like your Drive files or Calendar appointments. If only incremental authorization (one scope) is requested, you will not have to hit a checkbox next to the permission. Rather, users can just tap “Continue” at the bottom of the screen.
This builds on Google’s work in mid-2019 to “give users fine-grained control over the account data they chose to share with a given app,” and the consolidation of “multiple-permission requests into a single screen” earlier this year.
There is no change you need to make to your app. However, we recommend using incremental authorization and requesting only one resource at the time your app needs it. We believe that doing this will make your account data request more relevant to the user and therefore improve the consent conversion.
FTC: We use income earning auto affiliate links. More.