Can I use Obi with Google Voice without giving my password?

[Ellen]

I was surprised to be asked for my Google password when setting up my Google Voice connection.  I don't give that to third parties.  Is it possible to use the Obi with Google Voice without giving my password?  I'm willing to go through extra configuration steps.

[HMishra]

Well, not if the GV # is attached to your primary email-id.

An alternative popular option recommended on these boards would have you create another gmail id, transfer your existing GV# from your primary gmail to the newly created one and use the new one along with the associated password.

[Ellen]

Thanks for the reply.  I'll do that.

[Lavarock7]

For whatr it is worth, it is my understanding that Obi takes that password and encrypts it but the clear password does not get saved in the box or on their server.

Perhaps someone else can chime in with more info.

[geva]

One would hope that the password is encrypted as it is put into the database.  That doesn't mean that it is safe however.  All passwords like this that one system uses to connect to another need to be decryptable, meaning hackers can also decrypt them.

You shouldn't be surprised that OBi wanted your Google password.  They cannot connect you to your GV and other services without out.  Otherwise just anyone could type in your e-mail address and start taking your phone calls and using your GV line.  That wouldn't work!

As was mentioned, a common best practice is just to create another Google account that is not related or connected to your main Google account.  This not only separates things but also protects your main Google account much better.

[CoalMinerRetired]

For what it is worth, it is my understanding that Obi takes that password and encrypts it but the clear password does not get saved in the box or on their server.

Perhaps someone else can chime in with more info.

One would hope that the password is encrypted as it is put into the database.  That doesn't mean that it is safe however.  All passwords like this that one system uses to connect to another need to be decryptable, meaning hackers can also decrypt them.

You shouldn't be surprised that OBi wanted your Google password.  They cannot connect you to your GV and other services without out.  Otherwise just anyone could type in your e-mail address and start taking your phone calls and using your GV line.  That wouldn't work!

As was mentioned, a common best practice is just to create another Google account that is not related or connected to your main Google account.  This not only separates things but also protects your main Google account much better.

Disclaimer: I only know what I've read on Obi's website and on here, but I do pay close attention to this topic.

Obi has a wizard (link) to setup Google Voice. I quoted what it says below. Note that this wizard is independent of the ObiTalk Portal, it writes configuration information directly to you device and the ObiTalk Portal is not involved.  I've seen a similar statement somewhere about the ObiTalk Portal and how it handles passwords, at the moment I can't find those statements.  In hindsight, I'm hoping the statements are the same for the local wizard and the portal.

Note about your Gmail username and password: This configuration utility is for easy placement your Gmail username and password information into the OBi device on a trusted network. Your Gmail password is not stored by Obihai or OBiTALK servers. Your Gmail username and password are used only by your OBi device to communicate with Google servers. Communication between the OBi device and Google servers is secured using HTTPS.

[Felix]

First, I want to second what CoalMinerRetired said: as far as I understand, Obi doesn't store any provider passwords on their servers. If you set up your adapter through the portal, Obitalk server pushes the settings to the device, but doesn't keep the password. There is certainly no reason for them to keep it... it is your device that registers with the provider (Google or SIP), and Obitalk is not a participant in this transaction.

Now, I am not affiliated with Obihai, so I can't know for sure. It is possible that for some weird or malicious reason Obi captures the password as it pushes it to your device and then stores it in some way. If that is a concern, I would not use Obitalk Web portal at all and administer the device through device UI. There are many good arguments to do that way anyway (note, I prefer to administer through the portal - but I respect those arguments nevertheless). See the sticky in this forum for more info.

Separating gmail accounts should be done for different reasons (there may be problems if you are reading your gmail mail, and your obi is registered to google voice at the same time). And encrypting password as it travels from your browser to portal servers and from the portal to your device is really independent of your question.

[KenShabby]

There's no need to create a separate Google account for your Obi device. Just create an "application-specific password" for your GV account and use that for your ObiTalk account:

https://support.google.com/mail/bin/answer.py?hl=en&answer=1173270

https://support.google.com/accounts/bin/answer.py?hl=en&answer=185833

[infin8loop]

There's no need to create a separate Google account for your Obi device. Just create an "application-specific password" for your GV account and use that for your ObiTalk account:

https://support.google.com/mail/bin/answer.py?hl=en&answer=1173270

https://support.google.com/accounts/bin/answer.py?hl=en&answer=185833

Unfortunately an "application-specific password" doesn't protect your account the way you might think. It's simply a way around two factor authentication for those applications that cannot or choose not to prompt for a single-use code that's used in addition to your regular password that makes two factors of authentication.  Anyone in possession of an "application-specific password" (in this case we're concerned with Obihai knowing it from your OBi configuration) can use that application-specifc password in any google application (or client) that accepts an application-specific password. The application you specify at the time you create the application-specific password is freeform text intended to remind you of what application you generated it for, the password is not locked to that application. This lets you revoke the application-specific password if the device (a phone for instance) is lost or stolen. I proved this to myself months ago by getting into my own Google email using an application-specific password that I had generated for my OBi110. Obviously I used a google email client that accepted an application-specific password. If Obihai (or anyone else) has your userid and application-specific password they could also use the same google email client or similar and access your email. I am not saying Obihai does this. I'm just saying the application-specific password doesn't seem to be a solution to the issue. Sorry.           

[twinclouds]

Not sure this problem has been solved but I had the same concern when I started configuring my new obi110 (yesterday!).  Actually, you can configure it for GV without using the portal but through the webUI of the device.  It took sometime to figure that out but I found it has already documented here: http://www.obitalk.com/forum/index.php?topic=4802.msg31210#msg31210.
It doesn't ObiHai is not safe, but if you really like do everything on you own, it worth taking a look.

[giqcass]

I used an application specific password and set My OBi up manually in order to reduce exposure.  As was said earlier the application specific password can be used elsewhere but it does allow you to delete a device if the password is ever compromised.  I see that as a big plus.  Many people use the same password over and over on different services which makes it easy to compromise their other accounts as well.

A Google account for Obi and Google Voice however is the safest option.  You can always have all email sent to that account forwarded to your regular email account.

It would be nice if the Obi allowed 2 step verification but there are also a lot of caveats to that system with a device like the Obi.

You can never eliminate all risk you can only reduce it.