Authentication changes with 2-step verification

Friday, February 11, 2011

We recently announced an advanced opt-in 2-step verification process to help make your Google Accounts significantly more secure. 2-step verification adds an extra layer of security to your Google Account by requiring unique “verification codes” in addition to your username and password at sign-in. This means that if your password is stolen, you still have an extra line of defense against a potential hijacker.

Enabling 2-step verification on a Google Account associated with an AdWords Account may lead to an authentication issue when using the AdWords API, which uses ClientLogin. ClientLogin provides the authentication functionality used by the AdWords API, and is not designed to ask for the verification codes in addition to the password. Therefore, APIs accessing this interface must instead use a special password called an application-specific password.

For 2-step verification users, the ClientLogin API will return an error indicating that the user needs to use an application-specific password if the user tries to login with his regular account password.  When this happens the response will contain an extra field that indicates that the error was due to a missing 2-step verification code, and not incorrect credentials.


We recommend that your application detect this error and remind the user to use an application-specific password. The ClientLogin API doesn’t accept verification codes, but application-specific passwords can be created for an account that allow authentication without a verification code.  These can be used in the ClientLogin API just like regular passwords, and they do not expire.  To obtain an application-specific password, the user needs to log in to their Google Account and click on "Authorizing applications & sites."

Under the application-specific passwords section, they should provide the name of the tool or application they wish to generate a password for.  The generated password will only be displayed once, and although it can’t be recovered later it can be revoked at any time.

Here’s what the generated password looks like:

These changes to authentication only apply to applications that authenticate directly against a 2-step enabled account.  Applications that authenticate as an MCC account and specify a client account through the clientEmail or clientCustomerId header of the request need not to worry if 2-step verification is enabled the client account.

To learn more about application-specific passwords, visit the Google Accounts Help Center. Please visit the Official Google Blog for the complete announcement.

As always, please post any questions to the AdWords API Forum.

Posted by Katie Wasilenko, AdWords API Team