PSA | Google Mail switching to OAuth 2.0 which may cause offline e-mail clients to fail (e.g. Thunderbird)

Hi,

I came across an issue a couple days ago where Mozilla Thunderbird refused to complete sign in to get my latest e-mails. The experience would be:

  1. Launch Thunderbird.
  2. Thunderbird Application would open.
  3. Pop up would open trying to sign into https:\accounts.google.com
  4. End user cannot get to password submissions screen.

Cause:

In order to switch to the new OAuth 2.0 method you are required to temporarily accept all cookies to complete the switch. You can disable accepting cookies after the swith to OAUTH 2.0.

There are complete steps in the below article.

2 Likes

Hi
A well thought out post thankyou. I dont hate 2factor but its hard to get away from it.
I prefer to sidestep the security in hance ment prompt and go on regardless this is at
the price off extra security.

Thanks again

–
Data

Hi Data,

Thank you. Sometimes the symtoms of these kinds of issues can be misleading. When I first hit the issue I was thinking perhaps my application access was de-authorized or maybe a Google service was down. I’m glad they are making a move on hardening services (which is really needed).

As for 2 factor authentication … I wish it was more consistent. Here in Canada I do think we need it for services like Bank access and transactions (better then a 6 digit pin). But then I prefer offline 2-factor Like Authy, Microsoft and Google authenticator apps. Most banks here have their own solution where they want to text you on your cell or call your home to give you a code. So that is not my cup of tea.

Hi kagetora13
Yes here they the majority now want to text or phone a code.
This is all being well until you have no cell service.

–
Data

1 Like

If you set up an app password in your Google security settings, and use that password in Thunderbird or other IMAP app, you don’t need to deal with the OAUTH process.

  1. myaccount.google.com
  2. security on the left
  3. App passwords

Good luck!

This is a very good point. To the best of my knowledge Application Specific passwords will bypass 2 factor authentication which is not ideal from security standpoint.

2 factor allows you to authorize applications per device
(e.g. i must perform 2 factor authentication the first timevi use bitwarden vault on a new computer).

More here:

I bet Google does do some profiling on the back end, such that if you login from halfway around the world, you might get an email notification if they also see you logged in somewhere else. Guess though.

And yes, “app passwords” is not “application specific passwords”. But a password to use in an application, rather than usual ways to log in to a service.

A 16 character app password will take around an estimated 1.5 hundred centuries at 100b guesses/second; maybe 14 years on a massive cracking array scenario doing 100 trillion guesses/second. This would be a lot of electricity and heat though.

Source of estimates: https://www.grc.com/haystack.htm

1 Like