Important Gmail-Oauth2 news
Update: For the latest information and alternatives to using 2FA, refer to this post
As of April 23, 2025, Gmail accounts accessed in POP Peeper will require you to use an app password instead of Oauth2. It is strongly recommended that you switch to app passwords as soon as possible (and before April 23); you can do this with your current version of POP Peeper. If your Google account already has two-factor authentication (2FA) enabled, creating an app password is a very simple process; but otherwise, you will need to setup 2FA which may take an extra 2-15 minutes. Google will make it seem like you must provide your phone number, but this is not mandatory as the guide will explain. The Esumsoft guide for setting up 2FA and app passwords is provided here:
https://www.esumsoft.com/pop-peeper/faq/?q=GmailAppPw
Please note: app-passwords and 2FA are not directly related. Enabling 2FA on your account does not mean that you will need to authenticate POP Peeper’s connection to your email. The app-password is a substitute for 2FA.
POP Peeper v5.6 will be released soon which has updates related to these changes (such as removing Oauth2 as an option for Gmail and providing in-app links to help guide you through creating app passwords). POP Peeper v5.6 will be able to use Oauth2 for your existing Gmail accounts and will continue to work until the deadline or if an account requires you to re-authenticate. New accounts added into POP Peeper will require you to use an app password.
To determine if your POP Peeper account is using Oauth2 or a password:
– v5.5 or older: edit the account in POP Peeper; the dropdown to the right of your “Login name” will either be “Oauth2” or “Password”. You need to switch to “Password” if it’s currently “Oauth2”.
– v5.6 or newer: edit the account in POP Peeper; if you see a disabled control that says “Password” to the right of your “Login name”, this means that Oauth2 is still being used and you need to update your password (if there’s an existing password, it could be your main password which Gmail no longer accepts and so you may still need to create a new app-password and use it to replace your existing password in POP Peeper). The disabled “password” control will be removed after you save a password. The following image shows a case where Oauth2 is still being used because the “Password” dropdown is visible but disabled:
Why is this necessary?
POP Peeper first introduced Oauth2 support in v4.2 (June 20, 2016). Oauth2 is considered more secure for various reasons, such as the email client not needing to store your password. Over the last few years, Google started requiring a CASA review (“Cloud App Security Assessment”) for certain activities that used Oauth2, including access to Gmail. This review was first required for POP Peeper in 2024; it was an extremely stressful and time-consuming process, but POP Peeper passed the assessment and this is why Oauth2 was still available. This was mentioned in the POP Peeper v5.5 released announcement.
The need for the CASA review came around again this year, but this time Google required the use of 3rd party assessors which had fees of over $700 USD; this is a reduced rate from several thousands of dollars because of a partnership with Google. Based on the experience so far, it is reasonable to believe that the reduced rate will only be available for a limited time and will not be offered for future required assessments. The vast majority of people running POP Peeper use it for free and POP Peeper does not bring in enough money to absorb this fee on top of all the other expenditures (such as web hosting and code signing), especially considering that this is just one email service of thousands (albeit, probably the most popular one).
This was not an easy decision to make, but it came down to the resources (time and money) involved with the CASA review, especially with the alternative of using app passwords. Using Oauth2 does not provide any special privileges, it is only used to log into your email account. Google could (and, in my opinion, should) allow email clients to use Oauth2 without requiring the CASA review for this very reason. Considering that there is an alternative method that allows the same level of access to your email which Google claims is less secure, the necessity of the CASA review seems questionable, and that’s especially true for desktop apps like POP Peeper where your data goes directly between your computer and the server.
Recap
This only affects POP Peeper’s capability to login using Oauth2 for Gmail. It does not affect other services that use Oauth2 (Outlook, Yahoo, AOL). You can still use POP Peeper to access Gmail by using an app passwords
Thank you for making this work for us. I do not know how I would survive without you and poppeeper.
If I had a wish for you and your wizardry, I would wish for a poppeeper IoS app.
I do not trust the mail on the iPhone for all my accounts. It would also be way too confusing. But I do wish I could see the poppeeper on my desktop from my phone…
Thanks again for this amazing app.
I’ve been using Poppeer for a really really long time. It’s an invaluable tool and it’s always worked great. I’ve pretty sure I donated at one time a long time ago and only recently finally purchased it. I felt guilty using such excellent software for free and I wanted to throw you my support. I really wish others would buy it as well. It’s very affordable and perhaps with the increased income you could get through this and all future hurdles like the CASA review. Whatever the case thanks for being so clear about the switch to Google’s App Passwords. Thanks again for such a great application.
Thanks! I appreciate the feedback and support.