Google's two factor authentication

from Add support for OAuth 2.0 (Gmail) by cketti · Pull Request #6082 · k9mail/k-9 · GitHub

The gist of it was, “how can we play with the new OAuth feature given today’s 30-May google deadline for being forced into app password and 2FA use if OAuth isn’t available.”

Yes, app password can be used with k9. Cool.

Trouble is, google forces you to enable 2FA across your entire google account in order to simply use an app password for mail purposes alone. That’s a rather cheaty way to push people into 2FA.

For those who cannot use 2FA (with good reason, please don’t lecture here), this binding between app password and 2FA is unfortunate. It means we cannot use app passwords, and k9 will stop working for us until 6.200 is out.

No complaining here, just observing.

We very much look forward to 6.200 and will test it at the earliest opportunity. Or would test the main branch pre-release if that can be done.

We very very much appreciate the hard work that has gone into OAuth implementation. Much appreciated. Feeling your pain, as well, about the obfuscated and inaccessible google application process. Been. There. Done. That


As a security geek, I’d love to hear the use cases and reasons why 2FA isn’t an option.

1 Like

[I don’t know how to reply to OldieAB only, so ignore if you accidentially get this.]

Very simple: It’s not 2FA. It’s 2×1FA. As it’s twice the same thing communicating on the client end. It’s not adding even a single bit of security. It’s security theater. The real purpose is to link your phone and e-mail in your ad profile and manipulate you even better (with ads) to be ripped off.
Actual 2FA, or rather 3FA, would be welcome. But that needs a secure terminal that is a physically separate tamper-proof device under your control. Like with FinTS. Built-in ”secure enclave” black boxes in phone SoCs don’t cut it.

If you use TOTP codes for 2FA, there is no phone-user linkage at all. TOTP does not rely upon a network connection to operate. It’s the preferred method, but does have additional overhead of getting the seed/key into an app to generate the code, as well as the risk of a phone getting lost/damaged and codes lost due to no backup.

Google prefers the push aspect, as it’s easy for users. You can still use TOTP.

Backup your TOTP codes (screen shot the QR code, scan the QR code with a QR app to show the key, etc); generate and securely hide the Google backup codes.


Except there is phone-user linkage in the case of Google / GMail. Google does not allow enabling of 2FA without giving your phone number. Even if you want to use TOTP as your 2F, you still need to give away your phone number.

Reading your email is way more interesting than knowing your phone number. If you already don’t have a problem with using Google for your email, giving them your phone number for 2FA doesn’t change much, in my opinion :person_shrugging:


My thoughts exactly. If one is concerned about that, they should be concerned about them reading your email IMHO…

1 Like