Google removing "less secure" apps access on 30/10
84 views
Skip to first unread message
Eduardo Mercovich
Aug 1, 2019, 1:49:38 PM8/1/19
to mu-di...@googlegroups.com
Dear Mu4ers... :)
I'm sure many of us received this from Google: "[...] on October
30, 2019, we’ll begin removing the setting to “Enforce access to
less secure apps for all users” from the Google Admin console.
[...] Removing this setting will help keep your users’ accounts
secure, as access to less secure apps (LSAs) can inadvertently
make Google accounts vulnerable to hijackers."
This means that both offlineimap and mbsync/isync (oi/mbs) will
not work as they are in their default installations since Google
sees them as "less secure".
However, it seems we don't have to change our stable and beloved
setup. Maybe even some of you already have this working!
Google says in
https://support.google.com/accounts/answer/185833?hl=en
Sign in using App Passwords: An App Password is a 16-digit
passcode
that gives a non-Google app or device permission to access your
Google Account. App Passwords can only be used with accounts that
have 2-Step Verification turned on.
And as noted in
https://ryanwhittingham.com/using-multiple-email-accounts-with-mu4e/:
First, we should set up an app password for Gmail.
This will let mbsync access your Gmail account without letting
all less secure apps access your Gmail account.
So it seems that it's possible to configure both daemons with a 2
step verification to make offlineimap and mbsync a non "less
secure" app, and -from a preliminary reading- it looks like it is
not complex:
+ set up 2 step authentication (2SA) in our google account (easy)
+ set up an app password and configure it in oi/mbs (easy).
+ use 2SA in oi/mbs (unknown complexity).
I will start looking and experimenting with this now, but before
touching much, does anyone of you tried this, or have it already
done?
Always, and as in every case, thanks a lot for your attention and
help... :D
Best regards...
--
Eduardo Mercovich
Donde se cruzan tus talentos
con las necesidades del mundo,
ahí está tu vocación.
(Anónimo)
I'm sure many of us received this from Google: "[...] on October
30, 2019, we’ll begin removing the setting to “Enforce access to
less secure apps for all users” from the Google Admin console.
[...] Removing this setting will help keep your users’ accounts
secure, as access to less secure apps (LSAs) can inadvertently
make Google accounts vulnerable to hijackers."
This means that both offlineimap and mbsync/isync (oi/mbs) will
not work as they are in their default installations since Google
sees them as "less secure".
However, it seems we don't have to change our stable and beloved
setup. Maybe even some of you already have this working!
Google says in
https://support.google.com/accounts/answer/185833?hl=en
Sign in using App Passwords: An App Password is a 16-digit
passcode
that gives a non-Google app or device permission to access your
Google Account. App Passwords can only be used with accounts that
have 2-Step Verification turned on.
And as noted in
https://ryanwhittingham.com/using-multiple-email-accounts-with-mu4e/:
First, we should set up an app password for Gmail.
This will let mbsync access your Gmail account without letting
all less secure apps access your Gmail account.
So it seems that it's possible to configure both daemons with a 2
step verification to make offlineimap and mbsync a non "less
secure" app, and -from a preliminary reading- it looks like it is
not complex:
+ set up 2 step authentication (2SA) in our google account (easy)
+ set up an app password and configure it in oi/mbs (easy).
+ use 2SA in oi/mbs (unknown complexity).
I will start looking and experimenting with this now, but before
touching much, does anyone of you tried this, or have it already
done?
Always, and as in every case, thanks a lot for your attention and
help... :D
Best regards...
--
Eduardo Mercovich
Donde se cruzan tus talentos
con las necesidades del mundo,
ahí está tu vocación.
(Anónimo)
Alberto Luaces
Aug 2, 2019, 4:46:13 AM8/2/19
to mu-di...@googlegroups.com
Eduardo Mercovich writes:
> + use 2SA in oi/mbs (unknown complexity).
applications? I expect that only the specific password is required.
Tamas Papp
Aug 2, 2019, 4:57:12 AM8/2/19
to mu-di...@googlegroups.com
I have 2FA enabled and have been using mu4e with mbsync for a while now
with an app password, without any problems.
with an app password, without any problems.
Eduardo Mercovich
Aug 3, 2019, 10:33:01 PM8/3/19
to mu-di...@googlegroups.com
Hola Alberto.
I could not create an app specific password without turning on 2SA
first.
After that, I could do it in seconds and successfully download
mail with mbsync.
Now I can't see where it is the less secure app toggle to remove
it...
first.
After that, I could do it in seconds and successfully download
mail with mbsync.
Now I can't see where it is the less secure app toggle to remove
it...
Eduardo Mercovich
Aug 3, 2019, 11:14:21 PM8/3/19
to mu-di...@googlegroups.com
Hello Tamas.
>> Is not the point of the app password not to have to use 2SA on
>> those applications? I expect that only the specific password is
>> required.
However, there is still something missing here... I can't seem to
find how to disable Lees Secure Apps (LSA) access now (could it be
because 2SA is enabled?). And without trying that, we may find an
ugly surprise on October...
>> Is not the point of the app password not to have to use 2SA on
>> those applications? I expect that only the specific password is
>> required.
> I have 2FA enabled and have been using mu4e with mbsync for a
> while now with an app password, without any problems.
It looks that I'm on that too, thanks. :)
> while now with an app password, without any problems.
However, there is still something missing here... I can't seem to
find how to disable Lees Secure Apps (LSA) access now (could it be
because 2SA is enabled?). And without trying that, we may find an
ugly surprise on October...
Eduardo Mercovich
Aug 6, 2019, 4:15:29 PM8/6/19
to mu-di...@googlegroups.com
Dear all.
> I'm sure many of us received this from Google: "[...] on October
> 30, 2019,
> we’ll begin removing the setting to “Enforce access to less
> secure apps for
> all users” from the Google Admin console. [...] Removing this
> setting will
> help keep your users’ accounts secure, as access to less secure
> apps (LSAs)
> can inadvertently make Google accounts vulnerable to hijackers."
I'm afraid that having a specific app password will not save us
from this decision from Google.
I have a google account in a payed managed domain of a startup.
They disabled less secure apps access and *I cannot even create a
app password* in "my account".
Please let's be sure that I'm wrong here or we'll have a quite
ugly surprise in a couple of months...
> I'm sure many of us received this from Google: "[...] on October
> 30, 2019,
> we’ll begin removing the setting to “Enforce access to less
> secure apps for
> all users” from the Google Admin console. [...] Removing this
> setting will
> help keep your users’ accounts secure, as access to less secure
> apps (LSAs)
> can inadvertently make Google accounts vulnerable to hijackers."
from this decision from Google.
I have a google account in a payed managed domain of a startup.
They disabled less secure apps access and *I cannot even create a
app password* in "my account".
Please let's be sure that I'm wrong here or we'll have a quite
ugly surprise in a couple of months...
Reply all
Reply to author
Forward
0 new messages