What OTP settings do you use to log a 3rd-party Android MUA into Google email?

Discussion:

(too old to reply)

Andy Burnelli

2022-06-24 19:21:15 UTC

What OTP settings do you use to log a 3rd-party Android MUA into Google
email (if you don't use OAuth2 and if you don't have a Google Account)?

If you use 2SV/2FA/MSV/MFA OTP apps, what do you put for OTP settings to
log into Google email using a 3rd-party MUA (if you don't use OAuth2)?
<Loading Image...

> Flocke free andOTP settings
<Loading Image...

> Red Hat freeOTP settings

What "Flocke free andOTP settings" do you use for 3rd-party MUAs?
1. Type = TOTP (available are TOTP, HOTP, MOTP & STEAM)
2. Issuer = <blank> (editable)
3. Label = <blank> (editable)
4. Secret = <blank> (editable)
5. Tags = <blank> (editable)
6. Period 30 (editable)
7. Digits = 6 (editable)
*andOTP* Android OTP Authenticator by Jakob Nixdorf
no cost, no ads, no gsf, rated 4.3, 100K+ installs
<https://play.google.com/store/apps/details?id=org.shadowice.flocke.andotp>

What "Red Hat freeOTP settings" do you use for 3rd-party MUAs?
A. Email = <blank> (editable)
B. 28c5e061fcbd49a7 = (16-hex characters, editable)
C. Secret = <Base32> (editable)
D. Type = TOTP (available are TOTP & HOTP)
E. Digits = 6 (available are 6 & 8)
F. Algorithm = SHA1 (available are MD5, SHA1, SHA256 & SHA512)
G. Interval = 30 (editable)
*FreeOTP Authenticator* by Red Hat
no cost, no ads, no gsf, rated 3.7, 1M+ installs
<https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp>

--
On Usenet you can often find people who know a lot more than you do.

Andy Burnelli

2022-06-25 11:15:07 UTC

Permalink

Post by Andy Burnelli
What OTP settings do you use to log a 3rd-party Android MUA into Google
email (if you don't use OAuth2 and if you don't have a Google Account)?

It's interesting how almost all the references gloss over the QR code
which most of the OTP Android apps seem to want to use for initial setup.
<https://play.google.com/store/apps/details?id=org.shadowice.flocke.andotp>
<https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp>
<https://play.google.com/store/apps/details?id=com.sophos.sophtoken>
<https://play.google.com/store/apps/details?id=com.protectimus.android>
<https://play.google.com/store/apps/details?id=com.authy.authy>
<https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2>
etc.

Hence I'm still not sure what settings to use for 2FA/2SV/MFA/MSV in the
andOTP or freeOTP temporary one-time-password apps on the Android device.

Given there are extremly painful irreversible gotchas involved (e.g., Apple
has been sued for NEVER letting you ever turn off 2FV once you turn it
on!), it behooves me to line up the 2FA/2SV/MFA/MSV ducks ahead of time.

Especially since I don't even _want_ the inevitable and unrecoverable
privacy loss that is a direct result of using 2FA/2SV/MFA/MSV in the first
place (e.g., you lose a lot of privacy as you gain a bit of security).

Google references are almost worthless in this regard, as they gloss over
the important setup options (as far as I can tell so far from searching).

For example, this Google reference only covers Apple Mail & Outlook but not
any of the common 3rd-party Android MUAs such as K9-mail or FairMail.
*Set up Gmail with a third-party email client*
<https://support.google.com/a/answer/9003945>

Luckily this covers the T-OTP apps, where apparently you get the QR code
from Google (AFAICT) when you turn the 2FA/2SV/MFA/MSV on in your account.
*How to set up Gmail two-factor authentication (2FA) on your phone*
<https://www.tomsguide.com/news/gmail-set-up-2fa-mobile>

As does this, but like that above, it's too general for direct use.
*What is two-factor authentication and why should you use it?*
<https://www.androidauthority.com/what-is-two-factor-authentication-3092042/>

In summary, it looks like I'll have to turn 2FA/2SV/MFA/MSV on first before
it's clear what the steps are, but bear in mind that if you turn on Apple's
2FA/2SV/MFA/MSV, then you're forever dead as Apple will _never_ allow you
to turn it off (which is why I'm being cautious here by asking others).

--
Sometimes you can find helpful people on Usenet who know more than you do.

Andy Burnelli

2022-06-27 19:33:25 UTC

Permalink

Google explicitly says app passwords are disappearing.

No, they say "insecure apps" are disappearing, "app passwords" are staying.
Notice here, the red warning about less secure apps, yet they still link to app
passwords
<https://support.google.com/accounts/answer/6010255?hl=en>
Or here, where they describe how to enable 2SV if you want to create an app
password, with not a mention that they might be going away anytime soon
<https://support.google.com/accounts/answer/185833?hl=en>
I have no idea how many Google arses you have to lick to become a Diamond or
Platinum Product Expert, but maybe you'll believe them if you don't believe me?
<https://support.google.com/accounts/thread/161738917?hl=en>

The problem I have with those apps is you have to have _already_ set up
your email account as 2FA/2SV/MSA/MSV in order to get them to do anything:
<https://i.postimg.cc/VN5y8vt9/otp01.jpg> Flocke free andOTP settings
<https://i.postimg.cc/rFC2Gvc4/otp02.jpg> Red Hat freeOTP settings

The problem I have with setting up 2FA/2SV/MSA/MSV is that I've never set
it up and yet I'm trying to understand how it works _before_ I set it up.

One "issue" I have (mostly it's a fear) is that I won't be able to access
email via Thunderbird/OAUth2 once I set up 2FA/2SV/MSA/MSV since you set it
up by account, and not by MUA, right?

So, if I do set up 2FA/2SV/MSA/MSV for my Google mail account, how does
that Google mail account know to use OAuth2 for Windows Thunderbird but,
oh, say, app passwords for K9 mail?

--
BTW, I thank you for suggesting I use Google Voice on the iPad as my
verification number since on the iPad, Google does _not_ create an account
(whereas if you log into Google Voice on Android, Google _does_ create an
account on Android).