[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Making GNUS continue to work with Gmail

From: David De La Harpe Golden
Subject: Re: Making GNUS continue to work with Gmail
Date: Mon, 17 Aug 2020 14:03:52 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0

On 17/08/2020 09:23, tomas@tuxteam.de wrote:
On Mon, Aug 17, 2020 at 02:00:41PM +0800, 范凯 wrote:
Is it possiable to just use the application specific password?

This is Gregory's option (2), right?

No, "app specific passwords" are a separate end-user facility google in particular currently offers (other providers certainly may not allow anything similar), where the end-user can generate secondary passwords distinct from their main one, for use with non-oauth2-supporting apps that use traditional username+password auth methods.

Using their "app specific passwords" facility requires enabling the "2 step verification" facility with its own issues*, and then disables the ability to use the general "less secure apps" (google terminology) facility that allows traditional username/user-main-password auth.

App specific passwords are relatively complex and manual for the end-user to manage, and google may withdraw the facility one day too (well that surely applies to anything google does anyway).

Personally I have no idea from the various recent announcements around "less secure apps" how long they will continue to allow such "app specific passwords" in the sense of such username/app-specific-password plain auth (at the protocol level, not any out of band 2-step shenanigans) even after disallowing overall "less secure apps" (google terminology) in the sense of username/user-main-password plain auth.

I expect they would continue ...in the short term... to avoid completely locking out users of old mobile devices if nothing else. Even so, once their usage stats drop below some level, they may move to phase them out - they're clearly annoying, error-prone and complex for users to manage compared to fully-implemented oauth2 flow (user-exposed complexity of manual token fetches and stuff is not normal even if emacs users are currently doing it)

(* perhaps not because it's bad in principle, simple password auth has its known issues, but because google initially requires and encourages a notoriously weak phone-sms method by default (subject to recent and high-profile attacks by "sim swap" social engineering and the like at other providers). Though you can configure e.g. totp instead afterward [1])

[1] https://support.google.com/accounts/thread/5185475?hl=en

reply via email to

[Prev in Thread] Current Thread [Next in Thread]