Google's implementation of 2-factor authentication would be a fantastic platform for third parties needing the same functionality. Imagine that you run a website that could benefit from 2-factor authentication. If Google chose to support it, a Google Authenticator API would be dead simple. Say you run Reddit and want to support 2-factor auth. You could send a request to the GAuth API with the name of your service/account (in this example, "Reddit: kfury") and Google would pass back a secret token and a url to a QR code image. You (Reddit) store the secret token in your user database and associate it with your user. You give the QR code to the user so they can suck it in to their phone with their Google Authenticator app. Now when the user wants to sign in you ask them for a current code from Google Authenticator and, having received it, you pass it and the user's secret token to the GAuth API, which returns a simple 'pass' or 'fail'. Reddit would log me in or tell me the code was bad, accordingly. Rate-limiting and other protections could be built in to the API so the individual sites wouldn't have to worry about that either. Judging by the generic nature of the Google Authenticator app this is probably part of the plan, and if so I can't wait. Update: Thanks to @elstudio and Nelson Minar for pointing me to the google-authenticator project which allows site admins to use Google Authenticator with PAM to auth on their sites. It could still be made easier for the casual developer if they could stay away from the auth side altogether, but with this code anyone could implement the kind of GAuth API I described. Exciting!