The new K9mail is great and not as tired as the old version.
Is it possible to include an OAuth2 authentication option when setting the Authentication in Incoming server settings? I have a Gmail account that prefers this setting and I believe that Yahoo mail does too. I currently have to set my Gmail account to Less secure app access which is not ideal, to get Gmail to work. I believe OAuth2 is now the de facto industry standard for online authorization and would sit well with the new version of K2mail.
Some people have tried to work on OAuth2 but it is quite a big change so hasn’t been properly implemented yet. Basically just waiting on a developer willing to dedicate the time to continue the implementation
Thanks MonkeyMat for your reply. My wife uses a Yahoo email address among others and had to move to the Gmail app because the Yahoo address was unusable on K9mail. An upgrade to OAuth2 would be most welcome.
All the OAUTH2 sites that I’m aware of, including gmail, hotmail and yahoo, have an app-specific password option for mail clients that don’t have support for OAUTH2. In some cases, e.g., google workspace (which is a for-fee service), the administrator can require OAUTH2, but that’s somewhat of a special case. I think there are items in this forum giving instructions for at least those three providers.
Just got notice from Google that they will drop support for non-secure authentication from May 30. I guess this includes the exception that I have made in my own gmail accounts. I may finally have to give up K9…
Let me echo the previous poster, by saying: Google is about to drop support for the security method that L-9 uses.
Here is (part of) an email that I received from Google today.
On 30 May, you may lose access to apps that are using less secure sign-in technology.
To help keep your account secure, Google will no longer support the use of third-party apps or devices which ask you to sign in to your Google Account using only your username and password. Instead, you’ll need to sign in using Sign in with Google or other more secure technologies, like OAuth 2.0.
Respectfully, I believe you are very very wrong. I hope you are right though.
What I read form the above is that they are doing away with clients that ask for an email and password. They are moving to more secure methods.
App passwords are still account/passwords combos and have most of the same security implications as using your main password. The benefit is that you can disable a corrupt app password and even see what app it was assigned.
I hope K9 devs finally bite the bullet and make oauth2 happen because if they don’t, there will be a massive flurry of uninstalls come may.
Without oauth2, K9 must absolutely be discarded as obsolete and insecure.
By modernizing K9, it can once again become the choice for anyone who wants a simple, spyware free client that they can trust.
I have spent all morning searching and have found no android client, paid or free, that doesn’t data mine the crap out of everything. I literally will not be able to use mail on my phone anymore without being violated.
That said, using insecure logins also opens me to violation.
Thank you for the welcome! I am new to k9mail as well as to the forum.
Is it then that this whole thread (or most of it) is misguided? That is: is it that Google’s imminent change will not affect, or at least need not affect, k9mail? The thread contains a pointer to this - but that seems to be a way of keeping k9mail working with Yahoo. What then about Google?
But, ah, I find that Google’s webpages have a ‘Password Manager’. How that manager works is opaque. But I found therein that I had told the manager not to store any password for k9. I reversed that setting, ran k9 on my phone, and nothing seems anywhere to have changed. So, please advise!
That page allows one to set up an ‘app password’ that will circumvent the security problem that is at issue (that problem being the forthcoming change by Google - a problem that, in the name of security, will remove one way in which apps can use Google services, that way being somewhat insecure).
The same webpage names prerequisites for establishing an ‘app password’. One of those perquisites (so: there are others, unfortunately . .) is that two-factor authentication (TFA) be enabled. That TFA seems to be a one-time-per-device thing. That is: one will need to authenticate each device - each device that uses the app - with Google.
Let me add the following too, though it does not clarify anything. Rather it reports a muddying of the water.
The enabled or disabled state of TFA (as against whether one has provided that authentication for any given device and for any given app) seems to be global. That is: if is on, then it is on for all devices and all programs. Will having TFA enabled be a problem for devices that are not phones? For, the verification involved (or added) by TFA takes the form of, er, some sort of notification. Yet - the fog thickens - unless a text message that I was sent counts as such notification, I have received no such notification, even though I have enabled TFA . Perhaps the following obtains. In order to see the notifications, one must disable Google’s ‘use apps that are insecure’ setting. Yet, I can, now, find no such setting. Nevertheless, I have the following worry. When Google turns of the insecure access, I might lose access to Google services on my PCs as against on my phone. For, can I provide the requisite authentication on those PCs?
TFA can occur as a code generated by your trusted app (e.g., Google Authenticator or Microsoft Authenticator), a prompt by your trusted app or a challenge by your trusted app.
The codes are 6 digits and are valid for a limited time before they are replaced. - Happens automatically in the app.
The prompts occur as a notification asking for a clear “yes, it’s me” or “no” from you.
The challenge presents a number on th device you are trying to log in on and a set of three numbers in your TFA app. You just choose the correct one.
After each login, you will receive an email. You can confirm the login by clicking “yes, it was me” or ignore the mail if it was you. Otherwise, you can click “no, it wasn’t me,” immediately terminating the questionable session and prompting you to set a new password. - You will need one of the 10 backup codes generated when setting up TFA.
So, make sure to actually print out the backup codes and keep that sheet of paper in a secure location.
edit/ You can set up multiple TFA devices (I think three). I use Microsoft Authenticator in parallel on both my Pixels as well as my Surface.
TOTP (the 6 digit rotating codes) can be generated by a number of apps. Assuming the key (usually a QR code) is used, they’ll all generate the same numbers for that account. I use andOTP on my android phone and also have the OTP seeds in my keepass file, and have keepassxc on my desktop/laptop function also as the code generator. My phone could break, yet I could still access all my 2FA enabled accounts.
TFA = 2FA?
There is no limit to where one can take their TOTP key into apps that generate codes.
But do keep a copy of your 10 Google backup codes, and also backup your TOTP key to a safe place (print out the QR code, or scan it with a QR app and note the string).