The point: Google provides sign-in services with auth_time and amr metadata to verify login freshness and authentication methods for implementing risk-based access control.
Google introduces new OIDC standard claims in Sign in with Google: auth_time and Authentication Methods Reference (amr). These enable developers to verify the recency of logins and the authentication methods used.
Google is integrating two new OIDC standard claims into its federated identity system. The claim auth_time indicates the timestamp when authentication occurred, while amr (Authentication Methods Reference) documents which method was used for login – such as multi-factor authentication or hardware keys.
For CTOs and security architects, this is relevant because it simplifies the implementation of risk-driven access control. Applications can now verify the freshness of a login and, depending on the authentication method, decide whether additional authentication is required for sensitive operations. This reduces account takeover risks and fraud cases without significantly compromising user experience.
In practice, this means: A CTO can configure step-up authentication for money transfers or data exports when a login is older than a certain time or was performed using only a simple password. The metadata is available in the ID token and can be queried directly in the authorization logic. Tested apps can use these claims immediately; Google recommends beginning integration and defining risk-based policies based on real login method distributions.
Source: developers.googleblog.com · Published
Lumi AI News — AI-assisted curation per Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.