[kwlug-disc] Google with TOTP

Chris Irwin chris at chrisirwin.ca
Tue Jun 14 17:12:10 EDT 2022 

On Tue, Jun 14, 2022, at 20:03, Khalid Baheyeldin wrote:
> 
>> My google account has the following second factors configured:
>> 
>> * Multiple physical security keys (on me, safe backup)
>> * TOTP (which, upon review, maybe I'll disable. I don't it)
> 
> Now that I think about it, I don't recall how TOTP would work with server applications like getmail. 
> Would one generate an app password and use it? When does it expire, if at all?

All second factors work identically in Google's auth flow. There's basically just two ways to get authenticate with Google:

First, OAUTH2 (with optional second factor). You want an app or service to access your google account: The app/service sends you to google, where you log in with your username and password. If configured, Google challenges you for a second factor (whichever you configured). Google is also doing some heuristics to ensure you're not a bot, which they can do as they control the whole login flow now. You pass those checks, and Google gives your app/service a token granting specific access to your account. That token will probably expire (but can be renewed or revoked). That token may be scope limited (i.e. just email, just calendar, email + calendar, etc). The scope was defined when the app requesting access was registered. Normally users don't need to do this, but you're familiar with this process as you did it yourself a few emails ago.

When accessing google services, the token is used instead of repeatedly passing usernames and passwords. The key here is that the app/service you're using never sees your password. It sends you to google for authentication, and google sends it a token. Whatever requirements Google requires for authentication don't matter, because the app/service doesn't do *any* of them.

Second is plain passwords, like is traditional with most mail clients, etc. Google doesn't allow you to do this with your account password anymore, honestly for good reason. But you can still do it with an app password, which is an acceptable compromise. You give a username and password to the app/service you're using, and the app/service stores that somewhere. If this was your account password, it's the keys to the castle you've given out. If it is just an app password, it can be scope limited and revoked, and can't be used to access other portions of your account (i.e., account settings).

Long story short: It doesn't matter which 2fa method (or none) you're using with Google, because you log into Google directly and getmail gets a token regardless of how Google authenticated you.

> 
>> * Backup Codes (PDF in my encrypted safe storage)
>> * Android prompt (which requires me to unlock my device)
> 
> That last one is inconvenient, since it also requires that your Android device have internet access.
> I am in the minority here, since I don't have mobile data anymore. 

Yep, it's the most annoying option to be honest. I use my security key instead, as it is far more convenient.

FWIW, you probably wouldn't be logging in to Google unless you were in a place where you had a computer and/or data, though. If you're disconnected and out for a walk, you probably don't need to authorize any logins :)

-- 
*Chris Irwin*

email:   chris at chrisirwin.ca
  web: https://chrisirwin.ca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20220614/2dd978f8/attachment.htm>

More information about the kwlug-disc mailing list