Working together to improve user security

Google is enhancing user security for applications using Google Sign In by introducing Cross Account Protection (CAP), a protocol that allows apps to share security notifications about a common user. CAP addresses a critical flaw in single sign-in solutions, where an attack on a user's Google Account could compromise app access. It supports standardized security events such as account hijacking, account disabling, and forced password changes, and is built on new Internet Standards developed with the OpenID Foundation and IETF. CAP enables developers to implement a single system for receiving security signals from multiple identity providers. For those already using Google Sign In, implementing CAP involves enabling the RISC API, creating a Service Account, and setting up a REST API to receive security event tokens. Developers using Firebase Authentication or Google Cloud Identity automatically have CAP configured, simplifying integration.