[kwlug-disc] Google with TOTP
Chris Irwin
chris at chrisirwin.ca
Tue Jun 14 17:28:07 EDT 2022
On Tue, Jun 14, 2022, at 21:13, Khalid Baheyeldin wrote:
> I am not sure if app passwords expire and need to be renewed every now and then.
They do not.
> If they don't then what is the benefit of app passwords over the previous scheme of using your own Gmail password?
App passwords are scope limited -- If somebody gets an app password (i.e., steals your $device, or hacks $service), they can't change your account password, or log into gmail web interface to start changing adding forwarding rules. They can't go to the google store and buy a phone shipped to their PO box. etc.
You use a different app password on each device -- if you lose your $device, you revoke that app password. Your $device can no longer access your account. If you used an account password, you would have to change your account password, then *also* update every other device to change the saved password.
Basically, an account password gives you a lot of power, and it's somewhat bad to have that power laying around in unencrypted thunderbird configurations on unencrypted windows xp laptops (to use a silly example that very probably actually exists). You or I may be able to take proper precautions, but most users don't know enough. Now Google controls the only default login flow and can apply their security heuristics to try and protect users.
And for those still wanting password access for IMAP, that works too -- but you had to do a special step to do that, which hopefully means you know a bit more about what you're doing. Google happens to lock app passwords behind the requirement of having some/any form of 2fa, which is an unfortunate barrier (but honestly, anything to increase 2fa usage is a worthwhile step in my books).
Now, I do have problems the (un?)intended side effects of OAUTH2, but from a security standpoint, this all makes good sense.
--
*Chris Irwin*
email: chris at chrisirwin.ca
web: https://chrisirwin.ca
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20220614/289b71b7/attachment.htm>
More information about the kwlug-disc
mailing list