When two-factor protects you just a little too much.
It’s no surprise, really, but most software (like your desktop email program) has no way to ask for or enter a second factor if your account is configured to require one.
If you use such a program, you’re not stuck. In addition to two-factor authentication, the industry has a pseudo-standard solution for just this scenario.
It’s called an application-specific password, or “app password”.
Become a Patron of Ask Leo! and go ad-free!
If your email program uses only username and password without the opportunity to use a required second factor, your email service may provide the ability to sign in using what’s called an app password. This password is generated by the service, can only be used by your email program, and bypasses the two-factor requirement.
Some programs just work
Before I show you how to create and use an app password, I need to point out that most popular programs are being updated to use slightly different authentication techniques that actually do allow two-factor authentication to work as advertised.
For example, if you run the Windows 10 or 11 Mail program and add a Google account so as to be able to access your Google email using Windows 10 or 11 Mail, you’ll see the authentication dialog provided by Google, not the email program.
This “delegation” of the log-in step allows Google to ask you for your second factor.
In researching this article, I discovered Thunderbird also now does this, and I suspect that Microsoft Office’s Outlook will as well.
But that doesn’t help those of you clinging to Eudora, which is long out of support, or other email programs for which this approach is not an option.
For you, we need app passwords.
Generating an app password
I’ll use Google as my example, but many services that support two-factor authentication also support app passwords, including Microsoft.
Log in to your Google account online. I’ll assume Gmail as a common starting point. Click on your account icon, and then click on Manage your Google Account.
On the resulting page (not shown), click on Security in the left-hand column. On the following page, scroll down until you find App passwords. Click on that.
For security, you’ll be asked to confirm your password, after which you’ll be taken to a page listing any existing app passwords (you’ll likely have none at this point) and the ability to generate new ones.
The “Select app” and “Select device” dropdowns have some choices and an option for customization.
These items exist only to help you identify the app password you create in the future. I’ll choose “Other” and enter Eudora on my laptop.
Click on Generate.
You’ll be presented with the generated password.
Copy this password some place safe. This is the only time it will be displayed. You can copy/paste it somewhere if you like, or write it down. As soon as you leave this page, you will not be able to see it again.
You now have an app password for your account.
Using an app password
Using an app password is surprisingly simple.
When configuring your email program, or any other program incapable of supporting two-factor authentication, use this password instead of your “real” account password. Two-factor will not be required.
That’s all there is to it.
How can this possibly be secure?
We have a password that, when used, bypasses two-factor authentication. That might seem to invalidate two-factor all together, but it doesn’t. Your app password has several interesting characteristics that make it quite secure and useful without compromising your account.
You use it in one and only one place. In our example above, I could use this password only in the configuration of Eudora, and only on my laptop. If I want to configure a different program or one on a different device, I would generate a new app password for that purpose.
It can only be used for application login. You can’t log in online using this password by entering it at the normal web-based account log-in screen.
It’s long and complex. It’s not a password that can be guessed.
You don’t need to remember it. Once you configure your email program, there’s no need to remember the password or have it written or saved anywhere. Should you find you do need a password for some reason, you can always generate a new app password.
You can revoke it without affecting your other passwords. When you finally stop using Eudora and no longer need the app password you generated just for it, you can revoke and invalidate the password back at your Google account settings.
I expect some providers will subject logins using app passwords to even more scrutiny. For example, using your Eudora laptop app password to log in via a mobile phone could trigger additional account validation requests.
Adding app passwords ends up being a very secure way to use otherwise two-factor-incapable applications.
Revoking an app password
When you stop using the application for which you created a password, you can revoke and invalidate that password so it simply won’t work. You can also do this if you ever have any reason to believe that the password — despite all the attributes above — has somehow been compromised.
Return to the app-password-generation page we started with, which now lists your existing app password(s).
Click on the garbage can icon to the right of the password you wish to revoke, and it’ll be invalidated immediately.
This app password will no longer work.
Use two-factor authentication wherever possible.
Then, if you’re using a program that doesn’t handle two-factor, you can use app passwords to allow it to continue to work anyway.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.