Want to learn more about two-factor authentication?
Download our guide to evaluating two-factor authentication On his excellent Android Explorations blog, Nikolay Elenkov documented a rather in-depth investigation into the web auto-login mechanism on Android.
After you’ve linked your device to a Google account, the browser will let you use your device’s existing authorization to skip Google’s web-based sign-on prompts.
The simpler of the two was another Client Login-style request, but using the returned That Merge Session URL is the key here.
If you open it in an un-authenticated web browser after making this API call (you have to do this quickly; it has a very short expiration window), you will be immediately logged into your account settings page, with no authentication prompt!
to enable Chrome’s sync features, or to set up your Google account on an Android device.
More recently, these clients have generally shifted to using methods along the lines of OAuth.
(There is even experimental support for this in desktop versions of Chrome; you can enable it by visiting .) Until late last week, this auto-login mechanism worked even for the most sensitive parts of Google’s account-settings portal.