How to adjust to google notice about you may lose access to some of your third-party apps
Baszler
baszler at basz.org
Sat Mar 5 16:42:39 MST 2022
On 3/4/22 23:06, Stephen Warren wrote:
> On 3/4/22 20:52, Zak Smith wrote:
>> On Fri, Mar 04, 2022 at 12:59:28PM -0800, MikePruz wrote:
>>> NCLUG,
>>>
>>> Does anyone understand the google change referenced below and what
>>> if anything needs to be done in advance to avoid interruption of
>>> service?
>>>
>>
>> I use almost the exact same software setup and I have the same
>> questions. I figured I'd have to dedicate a day to it in the next
>> month or so. If anyone already has answers that would be awesome.
>> I'm using OfflineIMAP 7.1.5 and msmtp 1.6.6, or thereabouts, on a
>> variety of machines.
>
> You may be able to set up an "application-specific password" rather
> than going the full OAuth 2 route; see:
>
> https://myaccount.google.com/apppasswords
>
> I'm not sure if those are going away, or just apps that sign in with
> your main password.
If it is not clear, Google is pushing everyone to a 2-factor
authentication. We went through this at work a few months back (Google
required it, not our IT dept). They are making the 2-factor as lax as
possible but it still is a 2-factor. When I log into Google, my phone
puts up a prompt that says "Login attempt, Yes/No". I just hit yes and
I'm in. Thus its a username/password/phone. Since the phone is
android it is magic and is only single factor (well, kind of
2-factor-ish since it runs face/fingerprint to get in so I'm the 2nd
factor?). They have a bunch of 2-factor options from one-time-pad, to
various commercial hardware keys / software keys. Beyond the phone I
also setup the one-time-pad (you can use several options at the same
time), printed it out and put it in a safe spot. If I lose the phone, I
still want in and can lock the phone out.
They did continue allowing the application-specific-password stuff at
work but cracked down on it to only work from one IP address (my address
needed to be a static IP or it won't accept the application). I'm not
sure how they will extend/allow/deny that for the public Gmail. It was
a bit of a pain but is working. You apply for the application password
using your normal gmail account and once it is established works pretty
much like a normal username/password. Since it bypasses the 2-factor,
you can see they added the hard IP requirement to up the security.
Again, not sure what they will allow for the public Gmail given their
push to 2-factor.
Google is on a security push (for those who catch some of the
commercials on youtube). They have clearly decided that those playing
with alternatives to their software are weakening the security of the
whole of Google. User passwords, no matter how much you push for
quality are garbage when given to the masses and get Google to be a spam
source. Thus a hard line on 2-factor.
Will see if people stick with gmail or if the "pain" of 2-factor pushes
people to other platforms.
-Frank
More information about the NCLUG
mailing list