58 lines
2.1 KiB
Plaintext
58 lines
2.1 KiB
Plaintext
MBOX-Line: From blong at google.com Fri Sep 26 09:09:58 2014
|
|
To: imap-protocol@u.washington.edu
|
|
From: Brandon Long <blong@google.com>
|
|
Date: Fri Jun 8 12:34:53 2018
|
|
Subject: [Imap-protocol] Seeking clarity on Gmail "Access for less
|
|
secure apps" setting for non XOAuth2 access
|
|
In-Reply-To: <54255E59.6040104@earthlink.net>
|
|
References: <5400A146.4020602@mozilla.com>
|
|
<CABa8R6se2WefF4q-cFzR2qtU_5_jDL-wioPF+jPmOTdpCaJhtw@mail.gmail.com>
|
|
<54255E59.6040104@earthlink.net>
|
|
Message-ID: <CABa8R6uZaZCA+2Bb3qtyJw69xOb0WvdZ3mPRO_EFDTONiwbhiw@mail.gmail.com>
|
|
|
|
Anything that uses the user's password is generally considered 'less
|
|
secure'.
|
|
|
|
Basically, with the high prevalence of password reuse and
|
|
compromise/exfiltration/phishing/malware/etc, passwords are no longer a
|
|
sufficient method of proving account ownership. On the web, with a Turing
|
|
machine available to us and a number of signals and the fact that the user
|
|
is actually sitting physical in front of a computer, we can mostly ensure
|
|
auth, but for IMAP which may be from a service or proxy and the prevalence
|
|
of smart phones which both travel and are often NAT'd across the country,
|
|
things are much more complicated.
|
|
|
|
So, yes, please use xoauth2 or the oauth-bearer when its available (we're
|
|
just waiting on the rfc to be published at this point).
|
|
|
|
And as good a time as any to remind folks that xoauth has been deprecated
|
|
for a while now and will cease to work next year. Migrate your users now.
|
|
|
|
XOAuth2 should be supported as long as oauth-bearer since its has only
|
|
minor differences being based on an earlier draft, the tokens are all the
|
|
same.
|
|
|
|
Brandon
|
|
On Sep 26, 2014 5:36 AM, "Rick Sanders" <rfs9999@earthlink.net> wrote:
|
|
|
|
> Hi,
|
|
>
|
|
> With Gmail is XOAUTH2 the only login method that is not considered "less
|
|
> secure"?
|
|
>
|
|
> For some reason I got the impression that AUTHENTICATE PLAIN was not
|
|
> considered "less secure".
|
|
>
|
|
> Thanks
|
|
> -Rick
|
|
>
|
|
>
|
|
> --
|
|
> Rick Sanders
|
|
> rfs9999@earthlink.net
|
|
> IMAP Tools http://www.athensfbc.com/imap-tools
|
|
>
|
|
-------------- next part --------------
|
|
An HTML attachment was scrubbed...
|
|
URL: <http://mailman13.u.washington.edu/pipermail/imap-protocol/attachments/20140926/d887bfe2/attachment.html>
|