"In addition, thick-client applications, the primary consumer of ASPs, are rather notorious for poor SSL certificate verification, potentially allowing ASPs to be captured on the wire via MITM [man-in-the-middle] attacks," Goodman said.
While Google's fix tightened its two-factor security process, Duo Security recommended it go further and restrict as much as possible the privileges of individual ASPs.
However, given Google's complex environment, ASPs will likely always have access to more than one service. "With two-factor authentication, it's difficult to get it right," Oberheide said. "Even Google, with all its wisdom and skill, can make mistakes."
Read more about access control in CSOonline's Access Control section.
Sign up for CIO Asia eNewsletters.