Please help flesh out MUA:Google 2SV/2FA/MSV/MFA options for everyone to benefit prior to June 30th 2022

[Andy Burnelli]

Please help flesh out MUA:Google 2SV/2FA/MSV/MFA options for everyone to
benefit prior to June 30th 2022

Chris wrote:

>> I always thought 2FA could be done via another email address thus
>> skipping the phone. I mean, they do have to think of
>> those who don't have a phone, right? Or do I live is a rose garden?
>
> For 2FA you always have to have *something*. That's what two factor
> authentication means: something you know and something you have. Typically,
> it's a password and a phone, but it can be different things.

I believe Chris is correct that it can be a variety of "different things"
that suffice for that 2FA/2SV/MFA/MSV "something else" where I'm almost
completely unfamiliar with what those multiple "else" things might be.

Can someone help us flesh out _what_ those multiple MFA things might be?

Here's a list I came up with searching about where I ask others to help
flesh it out so that we each have a list of what our choices might be.

1. OAuth2 (usually using an on-device Google Account), or
2. Autoforward Google mail to a non-Google account, or,
3. 2FA/2SV/MSV/MFA via a variety of authenticators, such as...
a. app passwords
<https://support.google.com/mail/answer/185833>
b. Some kind of "2FA/2SV/MSV/MFA authenticator" app
<https://support.google.com/accounts/answer/1066447>
such as...
FreeOTP Authenticator
<https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp>
Google Authenticator
<https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator>
Authy
<https://play.google.com/store/apps/details?id=com.authy.authy>
FreeOTP+
<https://play.google.com/store/apps/details?id=org.liberty.android.freeotpplus>
etc.
c. USB tokens
d. Time-based one-time passwords (TOTP)
e. SMS 2FA
f. Use the phone's built-in security key
<https://support.google.com/accounts/answer/9289445>
g. Use a physical "security key"
<https://support.google.com/accounts/answer/6103523>
h. Get a one-time security code from another device
<https://support.google.com/accounts/answer/2917834>
i. Enter one of your 8-digit backup codes
<https://support.google.com/accounts/answer/1187538>
j. Sign in using QR codes
<https://support.google.com/accounts/answer/9283368>
k. Set up a "trusted computer" for sign in
<https://support.google.com/accounts/answer/2544838>
l. Sign in with "google prompts"
<https://support.google.com/accounts/answer/7026266>
Any others?
--
Posted out of the goodness of my heart to disseminate useful information.

[Andy Burns]

Andy Burnelli wrote:

> prior to June 30th 2022

What is significant about 30th June?
The oAuth2 changeover happened on (or around) 30th May ...

[WaltS48]

Well, version 102 should be released on or around June 28th.

I us IMAP with OAuth2 for my Gmail accounts.

--
OS: Fedora 35 Workstation - Gnome 41 Desktop
https://blog.thunderbird.net/2022/06/welcome-to-the-thunderbird-102-beta-resources-links-and-guides/
Same Nightmare, Different Day

[Andy Burnelli]

Andy Burns wrote:

> The oAuth2 changeover happened on (or around) 30th May ...

My mistake. You correctly surmised the reason for this request is because
Google apparently disabled login/password authentication on May 30th, 2022.

Thunderbird has had OAuth2-via-the-web-browser for a while, apparently
because Mozilla pays from $15K to $75K for a yearly security audit suitable
for Google; but free-MUA developers can't afford that unnecessary expense.

While the developer of the FairMail app suggested this 2FA/2SV/MFA/MSV app:
*FreeOTP Authenticator* by Red Hat
Free, no ads, no gsf, rated 3.7, 1M+ installs
<https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp>

The answer to flesh out in this thread for everyone to benefit from is:
*What are the total 2FA/2SV/MFA/MSV options available after May 30th*

[John Robertson]

On 2022/06/22 3:19 pm, WaltS48 wrote:

> I us IMAP with OAuth2 for my Gmail accounts.

Does that phone you or SMS you for the authorization codes?
--
(Please post followups or tech inquiries to the USENET newsgroup)
John's Jukes Ltd.
MOVED to #7 - 3979 Marine Way, Burnaby, BC, Canada V5J 5E3
(604)872-5757 (Pinballs, Jukes, Video Games)
www.flippers.com
"Old pinballers never die, they just flip out."

[WaltS48]

On 6/23/22 7:25 PM, John Robertson wrote:
> On 2022/06/22 3:19 pm, WaltS48 wrote:
>
>> I us IMAP with OAuth2 for my Gmail accounts.
>
> Does that phone you or SMS you for the authorization codes?

Doesn't ask for authorization codes.

I just open Thunderbird and it gets my email.

In a former life I was a pinball and after Pong arrived a video game
technician in New Orleans.

My current home is home to <https://replayfoundation.org/>

Most fun job ever!

[Andy Burnelli]

Andy Burnelli wrote:

> While the developer of the FairMail app suggested this 2FA/2SV/MFA/MSV app:
> *FreeOTP Authenticator* by Red Hat
> Free, no ads, no gsf, rated 3.7, 1M+ installs
> <https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp>

I installed the app, but it apparently requires a mothership account too!
It's just a different mothership (apparently). Sigh.

For others to benefit, here are installers for each supported platform:

Android GooglePlay *FreeOTP Authenticator* by Red Hat

Free, no ads, no gsf, rated 3.7, 1M+ installs
<https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp>

Android F-Droid *FreeOTP* Two-factor authentication
<https://f-droid.org/packages/org.fedorahosted.freeotp/>

iOS *FreeOTP Authenticator* by Red Hat
<https://apps.apple.com/us/app/freeotp-authenticator/id872559395>

GitHub Android *FreeOTP*: <https://github.com/freeotp/freeotp-android>
GitHub iOS *FreeOTP*: <https://github.com/freeotp/freeotp-ios>

I haven't tested it fully because I generally stop the instant any app
requires a mothership login account, which this seems to require.

Isn't there any way to do 2FA/2SF/MSV/MFA without giving away your privacy?

[Dave Royal]

On Android I use andOTP which will export (locally, encrypted) and
import your acounts, which freeOTP doesn't - or didn't last time I
checked.

On iOS, with freeOTP, I think you have to rely on Apple's migration
process if you get a new phone. Not sure.

--
Remove numerics from email address

[Andy Burnelli]

Dave Royal wrote:

> On Android I use andOTP which will export (locally, encrypted) and
> import your acounts, which freeOTP doesn't - or didn't last time I
> checked.

Thank you for helping out as I've avoided 2FA/2SV/MFA/MSV until now because
of the direct loss of privacy implications.

If there is a way to use an "OTP" program that does _not_ require a phone
number or a mothership account, then _that_ what I would want to explore.

*andOTP* Android OTP Authenticator by Jakob Nixdorf
free, no ads, no gsf, rated 4.3, 100K+ installs
<https://play.google.com/store/apps/details?id=org.shadowice.flocke.andotp>
<https://f-droid.org/en/packages/org.shadowice.flocke.andotp/>
<https://github.com/andOTP/andOTP/releases>
<https://forum.xda-developers.com/t/app-4-4-open-source-andotp-open-source-two-factor-authentication-for-android.3636993/>

The advertising says (verbatim):
"andOTP implements Time-based One-time Passwords (TOTP) like specified
in RFC 6238 (HOTP support is currently in beta testing).
Simply scan the QR code and login with the generated 6-digit code."

Please pardon my ignorance as I had never wanted to use 2FA/2SV.
Where are you supposed to get that QR code they speak about above?

> On iOS, with freeOTP, I think you have to rely on Apple's migration
> process if you get a new phone. Not sure.

Interesting. I hope that doesn't happen with Android.

What we need is a tutorial for the privacy conscious person for how to log
into Google email without requiring all these privacy-reducing steps.

[Andy Burnelli]

Andy Burnelli wrote:

> Please pardon my ignorance as I had never wanted to use 2FA/2SV.
> Where are you supposed to get that QR code they speak about above?

The great news is that the Flocke "andOTP" <org.shadowice.flocke.andotp>
that Dave Royal recommended did _not_ ask to log into a mothership like the
Red Hat "freeOTP" <org.fedorahosted.freeotp> program did when I tried
(although, it seems that Red Hat freeOTP didn't ever need the login as I
just looked now and it seems to pop up even as I did _not_ create an
account).

Moving forward on this task, Flocke andOTP asks for one of three things:
a. Scan QR code
b. QR code from image
c. Enter details

Since I don't have a QR code, the details it seems to want are:
1. Type = TOTP (available are TOTP, HOTP, MOTP & STEAM)
2. Issuer = <blank> (editable)
3. Label = <blank> (editable)
4. Secret = <blank> (editable)
5. Tags = <blank> (editable)
6. Period 30 (editable)
7. Digits = 6 (editable)

By way of contrast, Red Hat freeOTP seemed to want:
a. Scan QR code
b. Enter details

Where the details that Red Hat freeOTP seems to want are:
A. Scan QR code
B. Email = <blank> (editable)
C. 28c5e061fcbd49a7 = (16-hex characters, editable)
D. Secret = <Base32> (editable)
E. Type = TOTP (available are TOTP & HOTP)
F. Digits = 6 (available are 6 & 8)
G. Algorithm = SHA1 (available are MD5, SHA1, SHA256 & SHA512)
H. Interval = 30 (editable)

Since I've never done this, nor have I ever _wanted_ to do this, but since
I'm being forced to do this (if I want to log into Google email _without_
having OAuth2 _create_ a mothership account on the device), can someone
kindly explain to me where I'm supposed to get the necessary information.

Thanks. Please be gentle. I will likely write up a tutorial for noobs but
at this point, I'm the noob so I need your guidance to get past hurdles.

[Andy Burnelli]

...winston wrote:

> The app password option, while not recommended by Google, appears to be
> available for the population that is not using OAuth2 capable email
> clients including those that have options to setup for OAuth2 when
> setting up automatically but still choose to manually set up(app
> password necessary since OAuth2 not a configurable option with Auto,
> SSL, TLS only available).

OAuth2, unfortunately, has astoundingly huge unexpected privacy issues.

For those of us who don't have a Google Account on our phones (and, of
course, who don't want one created just to read our email with a MUA),
the "app passwords" option might be the least onerous available to Android
MUAs after Google deprecated traditional logins/passwords May 30th, 2022.

The intractable and yet non-intuitive problem (as I've personally
experienced using FairMail) with OAuth2 on Android is that the free MUA
developers probably can't afford to pay for the yearly $15K to $75K
security audit Google requires of them if they want to authorize AUth2 over
the web (as Thunderbird on Windows does).

Hence, on Android, most (if not all!) freeware MUAs will resort to
_creating_ a Google Account on the Android phone in order to authorize the
OAUth2 credentials for the first time (if the account isn't prior set up).

Which makes OAuth2 the worst solution possible in terms of privacy.

In the search for a better method, both Andy Burns & Frank Slootweg
independently suggested that Google hasn't yet deprecated "app passwords".

However, app passwords _requires_ permanent 2FA/2SV/MFA/MSV to be set up.
While that increases security, it vastly decreases privacy.

The reason 2FA/2SV/MFA/MSV destroys your privacy is that you need a "second
something", which is where the decision needs to be made what that will be.

The question to be answered is what is the least privacy-destroying second
something out there?

Andy Burns has suggested it "might" be Google Voice on an iPad.

I will explore that avenue since the iPad does NOT create a separate Google
Account when you log into a Google application (such as GMail or GV apps).

Before I go that route, does anyone here have a suggested for the least
privacy destroying second something for 2FA/2SV/MFA/MSV for app passwords?
--
Often on Usenet you can find kind-hearted purposefully helpful people who
know a lot more about what you're trying to do than you ever will know.

[Andy Burnelli]

Andy Burnelli wrote:

> Before I go that route, does anyone here have a suggested for the least
> privacy destroying second something for 2FA/2SV/MFA/MSV for app passwords?

Hi Andy Burns,
You're a genius!

You just solved all the problems Google created on May 30th, 2022!

1. I deleted my K-9 mail app (because it wouldn't re-authorize even
after I updated it to version 6.201 which has the new OAuth2 code).

2. I re-installed that K-9 Mail app and then let it authorize a
Google email account (without having a Google Account on the phone!)

3. That worked!
And it did NOT create a Google Account on the phone!

How the heck did you know that would work given there's _nothing_ I can
find in the high level 6-line release notes that says that the OAuth2
is now being done via web authorization (versus account authorization)?

Here are the related screenshots:
<https://i.postimg.cc/15XPh8nc/k9mail01.jpg> K-9 Mail with OAuth2 6.200
<https://i.postimg.cc/rpWC5zxw/k9mail02.jpg> GPS vs F-Droid K-9 update
<https://i.postimg.cc/Y2XDxnhG/k9mail03.jpg> K-9 Mail version 6.201
<https://i.postimg.cc/5NqnKf9t/k9mail04.jpg> OAuth2 finally uses the web
<https://i.postimg.cc/W4Knq385/k9mail05.jpg> NO Google Account on Android!
--
I'm going to guess that the Thunderbird team paid for the security audit
that the Fair Mail developer said was necessary to authorize OAUth2 over
the web.