Just got notice from Google that they will drop support for non-secure authentication from May 30. I guess this includes the exception that I have made in my own gmail accounts. I may finally have to give up K9…
Same here, Gmail going to throw me off, end of May this year, 2022, due to lack of Oath 2.
It’s a pity, the the new K-9 is so much improved… I’d be happy to help testing any attempts to do this.
Let me echo the previous poster, by saying: Google is about to drop support for the security method that L-9 uses.
Here is (part of) an email that I received from Google today.
On 30 May, you may lose access to apps that are using less secure sign-in technology.
To help keep your account secure, Google will no longer support the use of third-party apps or devices which ask you to sign in to your Google Account using only your username and password. Instead, you’ll need to sign in using Sign in with Google or other more secure technologies, like OAuth 2.0.
@LaPaTa Welcome to the forum.
Please read exactly what is written there… It says
Nowhere it says “app password.” Thus, you can still use your Gmail with apps through app passwords. You just cannot use you regular password any more.
The current timeline provided by Google wet security makes no mention of removing app password support.
1 Like
Respectfully, I believe you are very very wrong. I hope you are right though.
What I read form the above is that they are doing away with clients that ask for an email and password. They are moving to more secure methods.
App passwords are still account/passwords combos and have most of the same security implications as using your main password. The benefit is that you can disable a corrupt app password and even see what app it was assigned.
I hope K9 devs finally bite the bullet and make oauth2 happen because if they don’t, there will be a massive flurry of uninstalls come may.
Without oauth2, K9 must absolutely be discarded as obsolete and insecure.
By modernizing K9, it can once again become the choice for anyone who wants a simple, spyware free client that they can trust.
I have spent all morning searching and have found no android client, paid or free, that doesn’t data mine the crap out of everything. I literally will not be able to use mail on my phone anymore without being violated.
That said, using insecure logins also opens me to violation.
1 Like
@ tchara
Thank you for the welcome! I am new to k9mail as well as to the forum.
Is it then that this whole thread (or most of it) is misguided? That is: is it that Google’s imminent change will not affect, or at least need not affect, k9mail? The thread contains a pointer to this - but that seems to be a way of keeping k9mail working with Yahoo. What then about Google?
But, ah, I find that Google’s webpages have a ‘Password Manager’. How that manager works is opaque. But I found therein that I had told the manager not to store any password for k9. I reversed that setting, ran k9 on my phone, and nothing seems anywhere to have changed. So, please advise!
@rick_kcir Welcome to the forum.
Everybody, please just read what Google is writing…
Just scroll down to “Fix Problem” and “Use App Password.” (Once again: app passwords are not going away!)
For some apps (not K-9) you may need to enable “Less secure app access.” The procedure is also linked in the article above.
3 Likes
Let me try to clarify what tchara is saying.
- The text tchara quotes is from this Google webpage.
- That page allows one to set up an ‘app password’ that will circumvent the security problem that is at issue (that problem being the forthcoming change by Google - a problem that, in the name of security, will remove one way in which apps can use Google services, that way being somewhat insecure).
- The same webpage names prerequisites for establishing an ‘app password’. One of those perquisites (so: there are others, unfortunately . .) is that two-factor authentication (TFA) be enabled. That TFA seems to be a one-time-per-device thing. That is: one will need to authenticate each device - each device that uses the app - with Google.
Let me add the following too, though it does not clarify anything. Rather it reports a muddying of the water.
The enabled or disabled state of TFA (as against whether one has provided that authentication for any given device and for any given app) seems to be global. That is: if is on, then it is on for all devices and all programs. Will having TFA enabled be a problem for devices that are not phones? For, the verification involved (or added) by TFA takes the form of, er, some sort of notification. Yet - the fog thickens - unless a text message that I was sent counts as such notification, I have received no such notification, even though I have enabled TFA . Perhaps the following obtains. In order to see the notifications, one must disable Google’s ‘use apps that are insecure’ setting. Yet, I can, now, find no such setting. Nevertheless, I have the following worry. When Google turns of the insecure access, I might lose access to Google services on my PCs as against on my phone. For, can I provide the requisite authentication on those PCs?
TFA can occur as a code generated by your trusted app (e.g., Google Authenticator or Microsoft Authenticator), a prompt by your trusted app or a challenge by your trusted app.
The codes are 6 digits and are valid for a limited time before they are replaced. - Happens automatically in the app.
The prompts occur as a notification asking for a clear “yes, it’s me” or “no” from you.
The challenge presents a number on th device you are trying to log in on and a set of three numbers in your TFA app. You just choose the correct one.
After each login, you will receive an email. You can confirm the login by clicking “yes, it was me” or ignore the mail if it was you. Otherwise, you can click “no, it wasn’t me,” immediately terminating the questionable session and prompting you to set a new password. - You will need one of the 10 backup codes generated when setting up TFA.
So, make sure to actually print out the backup codes and keep that sheet of paper in a secure location.
edit/ You can set up multiple TFA devices (I think three). I use Microsoft Authenticator in parallel on both my Pixels as well as my Surface.
TOTP (the 6 digit rotating codes) can be generated by a number of apps. Assuming the key (usually a QR code) is used, they’ll all generate the same numbers for that account. I use andOTP on my android phone and also have the OTP seeds in my keepass file, and have keepassxc on my desktop/laptop function also as the code generator. My phone could break, yet I could still access all my 2FA enabled accounts.
TFA = 2FA?
There is no limit to where one can take their TOTP key into apps that generate codes.
But do keep a copy of your 10 Google backup codes, and also backup your TOTP key to a safe place (print out the QR code, or scan it with a QR app and note the string).
@ tchara: thanks.
I remain without an answer to the following question. If I enable TFA so as to keep using k9 - and I have enabled it - will I have any trouble with those computer applications, such as Mozilla’s Thunderbird, that use Google services? By ‘computer’ I mean desktops and laptops. I worry that at some point the relevant applications, running on those devices, will stop working with Google. For, the devices at issue (desktop computers and laptops) do not run the sort of ‘trusted app’ - I think you mean ‘trust app’, i.e. authenticator app - that you mention.
I just took the chance and commited to enabling 2FA and disabled logging via unsecure apps in my Google Mail account. No need to wait until 30th of May 
I generated an App passwort and I am using it with K9 on Android successfully. 
Btw: 2FA is not required on each mail fetch or sending. Only once during App password creation.
PS. Just configured the same Gmail account on a fresh Thunderbird 91.5 on Ubuntu 20.04 with using the App password for email. No issues. (There were additionally web popup windows from Thunderbird asking for the Gmail account password via a Google authentication mask. They concered calendar and contact access which I ignored/closed).
1 Like
Thunderbird is supporting OAuth 2.0 since Version 38. There are at a version number exceeding 90 right now . I configured manually the server adresses, ports and using Normal Password to use the generated App password instead of the OAuth 2.0 method.
Only when using TOTP. Push-based 2FA like the challenge or question type I described require a named device as Google, Microsoft er cetera will ask on which device to notify you. Hence the arbitrary limit.
Yandex also has the same authorization. This has been implemented in the Mozilla mail program for a long time.
Yesterday I configured my Gmail account on K-9 using the same 16 digit App password on my android mobile and android tablet. Both are working well. I use the same Gmail account in Thunderbird using OAuth2 and the account is setup via IMAP on all three devices.
Obviously, the best solution is to have OAuth2 implemented, so hopefully this can be done soon.
1 Like
I am sorry, but I remain confused. Having used my Google Account settings to set up an app password, K9 does not prompt me for that password. Instead, when I try to send mail from my Gmail account, using K9, K9 closes, without any obvious error message (perhaps because I have set K9 notifications to ‘silent’). But if I look at my notifications, I do see an Android notification that says:
Failed to send some messages
Could not find a valid MX or A record for domain gmail.com.
I am getting pretty sick of this problem. K9 needs to provide, somewhere, intelligible and concise instructions, which work. (Part of the problem, admittedly, is that Google’s own instructions are dire.)
Just now I tried the following. I deleted my Gmail account - deleted it from K9 - and then recreate it. No dice: when trying to recreate the account (the account-within-k9), I got an error message saying . . an app-specific password was required.
I note finally that two of emails that I was trying to send via Gmail seem to have evaporated entirely. One was shown in my Gmail outbox (which is the only ‘folder’ within Gmail that K9 enables me to see).
Sounds like you entered the server address incorrectly. See Google’s help page for details: Add Gmail to another email client - Gmail Help
It (also) sounds like you haven’t fully/correctly set up the gmail account in K9.
K9 doesn’t “prompt” you for a password. When you add an account there is an initial account setup screen where you can enter your account and password. If you enter “yourusername@gmail.com” and a (in that context) google app-password, and select “next”, K9 will do some automatic setup. However, if the information is handy, it’s often just easier to select the “manual setup”. You will need to select IMAP or POP (the automatic setup assumes IMAP) and will then be presented with a configuration screen. The necessary gmail bits are included under “Step 2” on the link in the previous post.
Until your gmail account is fully set up (including id/pw that will let you log into your gmail account) you won’t see any remote (gmail) account detail/“folders”.
1 Like