Give Google application-specific passwords access to only one app

I have two-factor auth turned on for the Google Apps domain I administer. Is it possible to tighten the restrictions on application-specific passwords (eg the one-use, read-only passwords used for things like a Google Finance client on an iPhone) so that they can only read from one application?

As it's set up now, if an application-specific password is generated, it can be used on all Google services by someone who has it. Is there a way to limit these passwords to one application? So I can say "this password is only good for GMail" or "this password is only good for Google Finance".

g-suite

Kevin Burke

Posted 2012-08-14T14:30:48.133

Reputation: 809

1This is not the right place for this question. Maybe it should be on superuser? – Rook – 2012-08-14T14:38:40.313

@Rook Agreed. It's partially a security question, but I do think that it's off-topic for here. SuperUser is probably the best place for this to go. – Polynomial – 2012-08-14T14:39:32.183

Sure. Can someone move it? I don't have enough points. – Kevin Burke – 2012-08-14T14:48:52.837

I've flagged it. I'll poke Rory or AviD in a minute. – Polynomial – 2012-08-14T14:55:22.273

Answers

This is not possible for now. You can use one and the same application-specific password for more than one App/Service, which in essence makes the password non app-specific :).

However, the application-specific passwords are only displayed once and after your close them, they are no longer visible/retrievable. In fact the password is as secure as you make it. You can choose to use the password for only one service and never see the password displayed again.

It is a whole other question, however about how easily retrievable/encrypted are the application specific passwords even though they are only used as tokens of information valid only for the time you gave access to your Google account for a specific application/service.

I agree however that making an application-specific password which could only be used for a single service provider makes things more secure.

Just make sure that the application-specific passwords that you enter are nowhere to be remembered by the application/service, web browser, etc.

The best way of controlling what's going on with your app-specific passwords is to verify the time of login for each password and see whether there are any discrepancies.

Bobster

Posted 2012-08-14T14:30:48.133

Reputation: 80

If you enter an application specific password, you do not need the password to your Google account. All you need is the application specific password.

If I can use a single application specific password to gain access to my Google account, how is turning on 2 step verification any more secure than not using it at all?

Without 2SV: 1 password to gain access = one possibility

With 2SV: (one or more application specific passwords to gain access) & (one password that requires an additional generated number) = more than one possibility

It seems to me that not using 2SV is actually more secure.

Jay Dan

Posted 2012-08-14T14:30:48.133

Reputation: 66