PP 5.6 and Google's new OATH2 Changes

[sunclad@sunclad.com]

Hi -

Just learned of the new Google requirements moving from OATH2 back to 3rd Party Passwords, and that PP will need that starting in April.

If I understand the instructions, 2FA (2-part verification) will need to be turned on. My past experience with this was that while you can use 2FA to set this up, when you turn off 2FA after you create the 3rd party password, the access to the 3rd party password is shut off.

I do not need 2FA and I am not always carrying my cell phone -- I don't need to. and of course this sets up issues for the minority of people that choose to not use a cell phone or may only use a landline that does not take text messages.

Am I to understand that you will need 2FA all the time in order to use Gmail with PP 5.6? Some clarification would be helpful.

I use PP (free) but only occasionally when on the road. If 2FA is needed to be on always that could be a deal killer for me, unfortunately.

Thanks

[mjs]

Take a look at this link: FAQ creating gmail app-passords.
Scrolling down the page just below the 3 instructive/edification steps at the top of the page you will see more delineated (button) steps. One of those steps is the "Setup 2-step verification" button. In this step you may find additional information that may be applicable to some of the concerns/questions you've expressed specific to the various options available to you as referenced in the "Step 4" of the "Setup 2-step verification" process (e.g., where "multiple ways of enabling 2-step verification" is mentioned - most specifically you may want to consider using an "Authenticator" app).

I have to say, on a personal note: I'm sympathetic to your concerns and frankly not at all happy with Gmail in regards to this new Gmail requirement for 3rd-party app usage (i.e., from the perspective of one of "the minority", who prefers "to not use a cell phone" and instead prefers to "use a landline that does not take text messages" just as you have mentioned).

[mjs]

Here is the esumsoft announcement on this topic that you might want to take a look at: Important announcement regarding Gmail and Oauth2.
That also discusses in more detail the approach Google has taken and in what ways this has impacted POP Peeper (part of which encompasses some of the issues you've mentioned) more specifically in the "Full announcement" that is included in the above esumsoft announcement that I've also linked below for your convenience.

Full announcement (posted: February 27, 2025): Important Gmail-Oauth2 news (covering additional information on this subject than has been previously posted in this forum topic, that may be of interest to you as well).

[sunclad@sunclad.com]

Thanks, but maybe I am missing something.

I also use Betterbird (clone of Thunderbird), Thunderbird, and a couple of others and NONE of those have issued a warning. All of those use OATH2 with Gmail. All of those are 3rd party.

The difference here seems to be that Gmail is singling out "less secure" apps, or better stated those they deem insecure - real or not.

I guess the question is why PP's use of OATH2 cannot be brought up to the same status as how Thunderbird does it. Given the installed user base of that program such a move by Google would be a really big deal.

I have several Gmail addresses for personal and business use. For me to use PP I'd be fielding several 2FA text messages just to use PP from what I am trying to understand.

So what then differs with PP's execution of OATH2 that differs from that of Thunderbird or similar.

Thanks

[mjs]

Please scroll down to read the "Why is this necessary?" part of the last "Full announcement" linked above your post for a better detailed understanding as to why POP Peeper has had to make the difficult decision to utilize app-passwords (which is why I thought to post it). The situation POP Peeper finds itself is in part due to the, as mentioned, limited "resources (time and money)" of POP Peeper in accordance with the exorbitant fees imposed by "3rd-party assessors" in order to perform annual "CASA review" assessments that have become necessary to provide "Oauth2" access to Gmail.

I'd recommend reading the entire "Why is this necessary?" (previously linked) explanation (to get the full details) in as much as the above only serves as a synopsis.

I personally find it to be quite regrettable that Google has chosen to take the path in the manner that they have (to be perfectly honest, I have to admit that I'm not at all a fan of Google or Gmail anyway ).

What has been said (in the previously linked "Full Announcement" post) pretty well covers it, however Jeff may have more to say about this over the next few days.

[sunclad@sunclad.com]

Thanks. This is quite the shame since I sometimes must check multiple Gmail accounts when away and I would use Pop Peeper for that, but under the 2FA needs and app password that would have my dell phone chirping continuously for each account if I were to check multiple accounts at the same time.

The current implementation of OATH2 seems to work fine within PP. In fact I just used it and re-authorized one fo the accounts at Gmail I sometimes check using PP.

Have you considered something like a crowd funding source or GoFundMe or similar to raise the money for the further tests? I suspect even your free version users might come up with something as this is a very useful tool.

Thanks again for your time.

[Jeff]

Thanks. This is quite the shame since I sometimes must check multiple Gmail accounts when away and I would use Pop Peeper for that, but under the 2FA needs and app password that would have my dell phone chirping continuously for each account if I were to check multiple accounts at the same time.

That's not how it works. You can use the app-password without having to 2FA it every time. In fact, the app-password has literally nothing to do with 2FA, it's just that Google decided to require 2FA in order to create an app-password.

I've updated the post to mention this.

If you haven't already looked into the guide, you should -- many people who have an Android phone will already have a 2FA method added for their main gmail account (the "google prompt" method).

[pop_pepper]

works like a charm, thanks

[Francis17]

Agree. Ggl 2FA is not used for your email client logging in to IMAP or sending through SMTP. It is used for logging in to your Ggl account for the first time from a new web client, and probably several more scenarios, such as setting up non-OAuth in your email client for the first time.

2FA does not need to ping a physical cellphone. Ggl can send an SMS text to whatever phone number, which could end up at a VOIP service, a text-to-email service, a Ggl Voice number, etc. Yes this means you would have to 'get email' or log in to a website in order to see the 2FA authentication code.

[Francis17]

Thank you so much Jeff for the clear instructions on how to de-OAuth a Ggl account! Either no one else has explained it this well, or Ggl has made it easier since the other year, or both.

[Jeff]

I don't think Google has made it easier, which is why I felt it necessary to create such detailed instructions.

If Google wanted to make it easier, I would just point people to 'https://myaccount.google.com/apppasswords' and that would be sufficient. But, as it is, if you don't have 2FA already enabled, that page will be a dead-end ("The setting you are looking for is not available for your account" -- with no further information).

They also hide the ability to create app-passwords in your account. It's at the bottom of Security / 2-step verification, but only if you have an existing app-password; if not, the only way to access it is to search their help for "app password" and click on a link.

Not to mention all the FUD along the way.

[Jeff]

Thought I would include the following information here as this has been the main Google/Oauth2 thread and I'd like to get anyone's opinion in case you're interested.

When I first wrote the guidebook, I tested each of the 2FA methods individually. I noticed that the PassKey method didn't allow you to enable 2FA (on its own), so I basically dismissed it as a viable option.

However, I've done more experimenting with it today, and -- while you still need to enable another 2FA method -- using a PassKey is actually pretty slick. The main advantage of it being that you don't even need to remember/access your individual gmail passwords; you just need to select the gmail account (if necessary) and then verify your identity with Windows Hello (in my case, I use a PIN, since my desktop doesn't have any biometrics) and that's it. And that advantage doesn't only apply to when you need to 2FA, the passkey can be used whenever you need to log into the account; e.g. if you signed out, cleared cookies, using a private window, etc.

Further, I initially created the passkey in a private window of Firefox. I just opened Edge and went to gmail.com, started typing my gmail address (and, fwiw, I'm 100% sure I've never accessed in Edge), and it knows about the saved passkey for that account -- so the passkey is valid cross-browser.


What do you guys think? Is this interesting to you? Will you try it out or have you already been using it?

[Jeff]

There's a new method to keep using Gmail/Oauth2:
viewtopic.php?t=8086

Please let me know what you think!

[Protocol]

There's a new method to keep using Gmail/Oauth2:
viewtopic.php?t=8086

Please let me know what you think!

Hi, Jeff.
I've been through the process, but when I try to enable Oauth2 in POP Peeper, I get the following error.

[Jeff]

This error is specifically mentioned in the guide (at the very bottom) -- it means you haven't added the email address to the "Test users" (steps 21-23)

[Protocol]

This error is specifically mentioned in the guide (at the very bottom) -- it means you haven't added the email address to the "Test users" (steps 21-23)

I actually did that step, but it seems that nothing happens when I click save.

[Jeff]

Here's some additional context:

[Jeff]

I think I noticed that too -- click "save" again and the window show go away and then it will be added.

[edit] yeah -- if you type the email address and then press "save" it only "validates" the email address you typed (so you could type another address if you wanted to); so you'd have to press "save" again to actually save it. If you type it, then press <enter> you'll see that it validates the email address (puts a gray circle around it) and then you can press "save" and it will take. If that makes sense...

[Protocol]

I pressed "Save" about 4 or 5 times, and it finally went through.

As mentioned in the other thread here, I have turned 2-Step Verification off in Google, and the App Password seems to be still working. So, I may even decide to stay with the App Password.

[Protocol]

It appears that we'll still need to enable 2-Step Verification with this new console method too.



Multi-factor authentication requirement for Google Cloud