OAuth2 authentication

The new K9mail is great and not as tired as the old version.

Is it possible to include an OAuth2 authentication option when setting the Authentication in Incoming server settings? I have a Gmail account that prefers this setting and I believe that Yahoo mail does too. I currently have to set my Gmail account to Less secure app access which is not ideal, to get Gmail to work. I believe OAuth2 is now the de facto industry standard for online authorization and would sit well with the new version of K2mail.

Thanks.

5 Likes

Some people have tried to work on OAuth2 but it is quite a big change so hasn’t been properly implemented yet. Basically just waiting on a developer willing to dedicate the time to continue the implementation

Latest work on OAuth2: Add oauth2 support for gmail and outlook by Monkey-Matt · Pull Request #5385 · k9mail/k-9 · GitHub

Thanks MonkeyMat for your reply. My wife uses a Yahoo email address among others and had to move to the Gmail app because the Yahoo address was unusable on K9mail. An upgrade to OAuth2 would be most welcome.

1 Like

All the OAUTH2 sites that I’m aware of, including gmail, hotmail and yahoo, have an app-specific password option for mail clients that don’t have support for OAUTH2. In some cases, e.g., google workspace (which is a for-fee service), the administrator can require OAUTH2, but that’s somewhat of a special case. I think there are items in this forum giving instructions for at least those three providers.

1 Like

It’s true that you should still be able to use a yahoo account with k9 mail, just a few extra steps involved in setting it up

Thank you both for your replies, most appreciated.

The University of Wisconsin is now requiring Oauth2 after October 2021. I’m sorry but I’m going to have to find a new Android Email Client.
So Long and Thanks for all the Fish!
Bob

2 Likes

Same here - would love to keep using K9 but this unfortunately makes it impossible now.

2 Likes

Same - UC Berkeley Oauth2 deadline is 11 January 2022.

Same here - one of my accounts has moved to Office 365. Happy years of K9 mail ended. :frowning:

1 Like

Just got notice from Google that they will drop support for non-secure authentication from May 30. I guess this includes the exception that I have made in my own gmail accounts. I may finally have to give up K9…

1 Like

Same here, Gmail going to throw me off, end of May this year, 2022, due to lack of Oath 2.

It’s a pity, the the new K-9 is so much improved… I’d be happy to help testing any attempts to do this.

Let me echo the previous poster, by saying: Google is about to drop support for the security method that L-9 uses.

Here is (part of) an email that I received from Google today.

On 30 May, you may lose access to apps that are using less secure sign-in technology.

To help keep your account secure, Google will no longer support the use of third-party apps or devices which ask you to sign in to your Google Account using only your username and password. Instead, you’ll need to sign in using Sign in with Google or other more secure technologies, like OAuth 2.0.

@LaPaTa Welcome to the forum.

Please read exactly what is written there… It says

Nowhere it says “app password.” Thus, you can still use your Gmail with apps through app passwords. You just cannot use you regular password any more.

The current timeline provided by Google wet security makes no mention of removing app password support.

1 Like

Respectfully, I believe you are very very wrong. I hope you are right though.

What I read form the above is that they are doing away with clients that ask for an email and password. They are moving to more secure methods.

App passwords are still account/passwords combos and have most of the same security implications as using your main password. The benefit is that you can disable a corrupt app password and even see what app it was assigned.

I hope K9 devs finally bite the bullet and make oauth2 happen because if they don’t, there will be a massive flurry of uninstalls come may.

Without oauth2, K9 must absolutely be discarded as obsolete and insecure.

By modernizing K9, it can once again become the choice for anyone who wants a simple, spyware free client that they can trust.

I have spent all morning searching and have found no android client, paid or free, that doesn’t data mine the crap out of everything. I literally will not be able to use mail on my phone anymore without being violated.

That said, using insecure logins also opens me to violation.

1 Like

@ tchara

Thank you for the welcome! I am new to k9mail as well as to the forum.

Is it then that this whole thread (or most of it) is misguided? That is: is it that Google’s imminent change will not affect, or at least need not affect, k9mail? The thread contains a pointer to this - but that seems to be a way of keeping k9mail working with Yahoo. What then about Google?

But, ah, I find that Google’s webpages have a ‘Password Manager’. How that manager works is opaque. But I found therein that I had told the manager not to store any password for k9. I reversed that setting, ran k9 on my phone, and nothing seems anywhere to have changed. So, please advise!

@rick_kcir Welcome to the forum.

Everybody, please just read what Google is writing…

Just scroll down to “Fix Problem” and “Use App Password.” (Once again: app passwords are not going away!)

For some apps (not K-9) you may need to enable “Less secure app access.” The procedure is also linked in the article above.

3 Likes

Let me try to clarify what tchara is saying.

  1. The text tchara quotes is from this Google webpage.
  2. That page allows one to set up an ‘app password’ that will circumvent the security problem that is at issue (that problem being the forthcoming change by Google - a problem that, in the name of security, will remove one way in which apps can use Google services, that way being somewhat insecure).
  3. The same webpage names prerequisites for establishing an ‘app password’. One of those perquisites (so: there are others, unfortunately . .) is that two-factor authentication (TFA) be enabled. That TFA seems to be a one-time-per-device thing. That is: one will need to authenticate each device - each device that uses the app - with Google.

Let me add the following too, though it does not clarify anything. Rather it reports a muddying of the water.

The enabled or disabled state of TFA (as against whether one has provided that authentication for any given device and for any given app) seems to be global. That is: if is on, then it is on for all devices and all programs. Will having TFA enabled be a problem for devices that are not phones? For, the verification involved (or added) by TFA takes the form of, er, some sort of notification. Yet - the fog thickens - unless a text message that I was sent counts as such notification, I have received no such notification, even though I have enabled TFA . Perhaps the following obtains. In order to see the notifications, one must disable Google’s ‘use apps that are insecure’ setting. Yet, I can, now, find no such setting. Nevertheless, I have the following worry. When Google turns of the insecure access, I might lose access to Google services on my PCs as against on my phone. For, can I provide the requisite authentication on those PCs?

TFA can occur as a code generated by your trusted app (e.g., Google Authenticator or Microsoft Authenticator), a prompt by your trusted app or a challenge by your trusted app.

The codes are 6 digits and are valid for a limited time before they are replaced. - Happens automatically in the app.

The prompts occur as a notification asking for a clear “yes, it’s me” or “no” from you.

The challenge presents a number on th device you are trying to log in on and a set of three numbers in your TFA app. You just choose the correct one.

After each login, you will receive an email. You can confirm the login by clicking “yes, it was me” or ignore the mail if it was you. Otherwise, you can click “no, it wasn’t me,” immediately terminating the questionable session and prompting you to set a new password. - You will need one of the 10 backup codes generated when setting up TFA.

So, make sure to actually print out the backup codes and keep that sheet of paper in a secure location.

edit/ You can set up multiple TFA devices (I think three). I use Microsoft Authenticator in parallel on both my Pixels as well as my Surface.

TOTP (the 6 digit rotating codes) can be generated by a number of apps. Assuming the key (usually a QR code) is used, they’ll all generate the same numbers for that account. I use andOTP on my android phone and also have the OTP seeds in my keepass file, and have keepassxc on my desktop/laptop function also as the code generator. My phone could break, yet I could still access all my 2FA enabled accounts.

TFA = 2FA?

There is no limit to where one can take their TOTP key into apps that generate codes.

But do keep a copy of your 10 Google backup codes, and also backup your TOTP key to a safe place (print out the QR code, or scan it with a QR app and note the string).