Google 2-step verification turned on, thunderbird ignores?

User Help for Mozilla Thunderbird
Post Reply
periodic
Posts: 178
Joined: October 13th, 2006, 10:13 pm

Google 2-step verification turned on, thunderbird ignores?

Post by periodic »

I just turned on google 2-step verification with an older gmail account. Thunderbird already had an account set up for that gmail account. I have not seen a prompt to confirm 2-step verification from thunderbird. Is it because the existing single auth is still in place? Would 2-step verification kick in if I unchecked "save password" for this thunderbird account?
User avatar
tanstaafl
Moderator
Posts: 49647
Joined: July 30th, 2003, 5:06 pm

Re: Google 2-step verification turned on, thunderbird ignore

Post by tanstaafl »

Thunderbrid has no support for entering the security code used by gmail 2 step authentication. Instead you have to goto a google webpage and tell it to create a "app" password for Thunderbird, which you need to use instead of the real gmail account password. See https://support.google.com/accounts/ans ... &ctx=topic

After you generate the app specific password you need to delete the saved password in Thunderbird, exit and restart. When prompted for the password enter the app specific password.

The main reason for 2 step verification is if you feel you need to use it to secure your smartphone. Its pretty worthless if you only use gmail with Thunderbird.

http://kb.mozillazine.org/Using_Gmail_w ... illa_Suite
periodic
Posts: 178
Joined: October 13th, 2006, 10:13 pm

Re: Google 2-step verification turned on, thunderbird ignore

Post by periodic »

I use gmail with cell, thunderbird, and by using the gmail ui in a browser. The 2sv kicks in when I try to use my gmail account from a 'new' browser, and that seems pretty important.
What I don't understand is why thunderbird is still able to tap into the 2sv-secured account. It should be that any access to the account needs the two steps, but it doesn't seem to. The fact that thunderbird needs to use 2sv via "app" password (thanks for that, had not heard of that) ought to mean gmail is not willing to hand off the emails. I mean, according to my uninformed perspective.
Part of my question is, would thunderbird fail to auth if I'd not already saved the password?
User avatar
tanstaafl
Moderator
Posts: 49647
Joined: July 30th, 2003, 5:06 pm

Re: Google 2-step verification turned on, thunderbird ignore

Post by tanstaafl »

Your description seems inconsistent unless you configured your old browser and your cellphone to use a security key

https://support.google.com/accounts/top ... ic=3382253

"Part of my question is, would thunderbird fail to auth if I'd not already saved the password?"
From Thunderbird's perspective there is no such thing as a "app password", there are just passwords. So its really a question of updating what password the password manager uses. I temporarily forgot that you can edit it nowadays, I'm so used to having to delete it, exit TB (since the deleted password is still in memory), and restart.
periodic
Posts: 178
Joined: October 13th, 2006, 10:13 pm

Re: Google 2-step verification turned on, thunderbird ignore

Post by periodic »

Hmm, I'm more confused now than at the start. 2sv is supposed to confirm a sign on attempt from a 'new' device via cell. I'm not sure what's inconsistent. I used Edge to sign in to my gmail account for the first time; I had to verify via msg on my cell before Edge was allowed access to the emails. AFAIK that's what the 2sv experience is expected to be. With thunderbird, it's another device asking to view the gmail account details. I am not sure why it has not blinked an eye since 2sv was enforced.
User avatar
tanstaafl
Moderator
Posts: 49647
Joined: July 30th, 2003, 5:06 pm

Re: Google 2-step verification turned on, thunderbird ignore

Post by tanstaafl »

"2sv is supposed to confirm a sign on attempt from a 'new' device via cell."

No, that is just the most well known method. See https://support.google.com/accounts/top ... ic=3382253

There is also: "If you don’t want to enter a 2-Step Verification code or use your Security Key every time you sign in to your Google Account, you can mark your computer or mobile device as trusted. With trusted computers and devices, you don’t need to enter a verification code each time you sign in." See https://support.google.com/accounts/ans ... ic=7189195

If you tell Google your PC is trusted I suspect you need to provide the normal gmail password in that case. What I don't understand is why that isn't promoted (by anybody other than Google, who would prefer you to use their software instead) as a better solution for somebody using a PC at home than creating an app password.
periodic
Posts: 178
Joined: October 13th, 2006, 10:13 pm

Re: Google 2-step verification turned on, thunderbird ignore

Post by periodic »

I see I've been conflating things; probably still don't have it completely clear.

For one thing, is there a difference between 2-step verification and 2 factor authentication? I thought yes; I'm thinking 'not really' at this point. I thought of 2FA as being equal to my minimal exposure to google authenticator. My only exposure to google authenticator is with an org that is pretty security conscious, and to whom I'm an external developer. Every time I need to connect to their network (via vpn) or their aws account, I must use google authenticator to verify my identity. I thought 2FA = verify at each request to access the resource (network, gmail etc). But after poking around a bit, it seems that this is just how that org has configured access to the network and aws. Probably a policy they have in place disallows "allow user to trust the device" for at least externals like myself. Within my original concept, "2FA" (conflated with using google authenticator for each network access) was a stronger form of authentication than what I thought of as the simpler "2sv" which allowed one to trust a device once and then forget about it.

Then, *possibly* the reason thunderbird didn't squawk when I enabled 2sv for gmail is that for that personal gmail account, devices can be trusted, and my pc was already trusted (not sure when I did that but it's listed, so is my mobile phone). For enterprise gsuite, "allow user to trust the device" is a security policy option.

So my revised view is much nearer to what you've been saying, that 2sv has several methods of verifying, but each method is a peer in the most important way, that each is the method for confirming access via 2sv.

This is far from a pure thunderbird topic. tanstaafl I really appreciate that you've helped me get a somewhat clearer perspective on the issues.
periodic
Posts: 178
Joined: October 13th, 2006, 10:13 pm

Re: Google 2-step verification turned on, thunderbird ignore

Post by periodic »

if anyone cares to correct or confirm what I wrote above that would be great, as my conclusions still feel a bit tenuous.
User avatar
tanstaafl
Moderator
Posts: 49647
Joined: July 30th, 2003, 5:06 pm

Re: Google 2-step verification turned on, thunderbird ignore

Post by tanstaafl »

Two factor authentication (2FA) is the generic term for security based on something you know plus something you have. There are many different ways to implement it. Typically its a password (something you know) plus some device (something you have). The device might be a FIDO U2F key plugged into a USB port that you have to press a button on, a code sent via SMS to your smartphone (for example Google Authenticator), a biometric scanner (fingerprint, retinal or face) ......

Google's two step verification is their most widely used implementation of two factor authentication. The difference in name is just marketing. If you designate a PC as trusted that counts as something you have (because they can identify if you are using a different PC) . All of the different ways to use "something you have" are peers, some are just more convenient/easier to use/more secure.

Google also offers a "Advanced Protection Program" that is stronger than two step verification. "In addition to a password to sign in to your Google Account, it requires you to use either a physical security key, the security key built into your Android 7.0+ phone, or your iPhone running iOS 10.0+ with the free Google Smart Lock app installed." That is basically restricting your choices on "what you have" for very security-conscious users that are worried about the possibility of being tricked by a sophisticated phishing attack. Again, its just another 2FA implementation.
periodic
Posts: 178
Joined: October 13th, 2006, 10:13 pm

Re: Google 2-step verification turned on, thunderbird ignore

Post by periodic »

Thanks for that, it really helps.
I've spent a lot more time now experimenting with turning on 2sv for both common gmail accounts and gsuite accounts. There remains an aspect of the interaction with thunderbird that I do not understand.

Case 1 - on a pc that has the gsuite account configured before 2sv is enabled for the account, I never get a request to verify via 2sv. On that pc, if I try to access the account using firefox, I do see the 2sv prompts (but don't verify). But thuderbird never invokes 2sv. I even removed the account from tbird, including all data, rebooted, added the account back in, and the data streams right in there, no 2sv.
Case 2 - the good part - on a vm that has never had thunderbird installed, or browser access to the 2sv secured account, installing tbird and adding the account does invoke the complete 2sv process.

Thankfully Case 2 is the important instance because it means anyone with my username and password can't just add those to a browser OR an email client like thunderbird and have access. Case 1 seems like a weakness -somewhere-, because 2sv is never invoked if accessing the account using thunderbird. I'm not sure if the weakness is with thunderbird, windows, or google's 2sv process.
User avatar
tanstaafl
Moderator
Posts: 49647
Joined: July 30th, 2003, 5:06 pm

Re: Google 2-step verification turned on, thunderbird ignore

Post by tanstaafl »

"But thuderbird never invokes 2sv."

Thunderbird (and all non-Google mail apps) have no concept of 2sv.
periodic
Posts: 178
Joined: October 13th, 2006, 10:13 pm

Re: Google 2-step verification turned on, thunderbird ignore

Post by periodic »

ok, but there does seem to be an issue? Something has cached permissions to access the data in the 2sv secured account, even though the account was granted access in thunderbird before 2sv was turned on. Again, if I try to access to secured account with firefox and the gmail ui, it does want to go through the 2sv process (which I canceled out of for this test). However the thunderbird/google combination will permit the re-addition of the account after deletion without invoking 2sv. It has to be a weakness. In firefox, the account had been accessed in the past (though not sure how long ago) but it still invoked 2sv. In thunderbird, 2sv never came into play.
User avatar
tanstaafl
Moderator
Posts: 49647
Joined: July 30th, 2003, 5:06 pm

Re: Google 2-step verification turned on, thunderbird ignore

Post by tanstaafl »

1) If you created an app password for your Thunderbird gmail account you're not using 2FA with it. You're just not creating an obstacle.

2) If you used the normal gmail password or a OAuth2 token and configured gmail to trust that PC you're using 2FA. Its just less obvious than if you got google authenticator involved etc. If you did that I'm still confused how you managed to enter the verification code because supposedly only after you enter it can you select "Don't ask again on this computer".

Which scenario are you (1 or 2)?

In both cases I don't see any reason why you can't delete and re-add the account in Thunderbird as many times as you want. What was the "something you have" you used with Firefox? A code, a security key, configuring it to trust that PC ...?
periodic
Posts: 178
Joined: October 13th, 2006, 10:13 pm

Re: Google 2-step verification turned on, thunderbird ignore

Post by periodic »

I have never created an app password, so not #1.

With thunderbird I created the account using the normal gmail password, but I did not configure to trust the pc. That's exactly what I'm questioning here. On the pc that used to have pre-2sv access to the account in thunderbird, even after removing the account and adding it back to thunderbird, after 2sv was turned on gmail happily passed me the full content of the account without prompt on cell or any of that. The data arrived just as if 2sv was off for the account. However, on the same pc, when I tried to use firefox to access the account, 2sv did manifest, even though I deliberately canceled out of that. So not #2 either.

On a fresh pc, thunderbird's request to google for the account data did invoke the 2sv dance, which was a major relief. So effectively the account is secured by 2sv on any pc other than a pc that I used thunderbird to access the account pre-2sv. IOW it is in play in the scenarios I'd want it to be, just seems to fall down if there is some kind of existing pre-2sv token on the pc that permits thunderbird (but not firefox) to gain access to the account data without confirming via google prompt on cell.
Post Reply