My Tool Studio
All Google updates
Google Search Central

New Session Metadata for Sign in with Google Security

TL;DR

Google now adds auth_time and amr claims to ID tokens for verified apps to help detect session freshness and authentication strength.

Key points

  • 1

    What auth_time and amr do: Google introduced two new OIDC claims: auth_time (timestamp of last Google session authentication) and amr (JSON array showing authentication methods like password, MFA, or security keys). These claims help apps determine session freshness and authentication strength. For example, if a user logs in with MFA (mfa) or a security key (hwk), your app can automatically require higher security for sensitive actions. This means you can implement step-up authentication for critical functions if the session is stale, reducing fraud without changing your login flow. The claims work across Android, iOS, and web apps, so you don't need new infrastructure to start using them.

  • 2

    How to use the claims: To activate these claims, add the OIDC parameter `claims={ "id_token": { "amr": { "essential": true }, "auth_time": { "essential": true } } }` to your Sign in with Google authentication request. This is compatible with existing OpenID Connect flows and requires no major code changes. For instance, your app can check auth_time to trigger re-authentication for admin actions after 15 minutes of inactivity, or use amr to block access to sensitive features unless MFA or hardware keys are used. This approach helps you build more dynamic security policies while leveraging Google's vetting of user sessions, reducing the risk of account takeovers without increasing user friction.

  • 3

    Real-world security benefits: Apps can now detect fraudulent activity more effectively. If a user signs in with a password (pwd) but then tries to access admin functions after 10 minutes, your system can flag it as high risk and require re-authentication. Similarly, if the amr shows a security key (hwk), you can grant immediate access to high-value actions without extra steps. This directly addresses phishing and abuse by providing concrete signals about session legitimacy. For example, a banking app could use auth_time to automatically lock sessions after 5 minutes of inactivity and require MFA for transactions, cutting support costs from fraud while improving user trust.

What changed

Before this update

Apps used Sign in with Google without detailed session authentication signals

After this update

Verified apps receive auth_time (last auth timestamp) and amr (authentication method) in ID tokens to improve security decisions

Read the original on Google Search Central

Share this update

This is a summary of an official post from the Google Search Central Blog, provided for quick reading. Google and the Google logo are trademarks of Google LLC; My Tool Studio is not affiliated with Google. Always refer to the original announcement for authoritative guidance.