Technology in terms you understand. Sign up for my weekly newsletter, "Confident Computing", for more solutions you can use to make your life easier. Click here.

I Enabled Two-Factor Authentication and Now My Email Program Can’t Log In

//
When I turned on the two factor verification, I could no longer use Eudora to download my email!

It’s no surprise, really, but most software (like desktop email programs) has no way to ask for, or enter, a second factor if your account is configured to require one.

If you use such a program, you’re not stuck. In addition to two-factor authentication, the industry has a pseudo-standard solution for just this scenario.

It’s called an application-specific password, or “app password”.

Become a Patron of Ask Leo! and go ad-free!

Some programs just work

Before I show you how to create and use an app password, I need to point out that some popular programs are being updated to use slightly different authentication techniques that actually do allow two-factor authentication to work as advertised.

For example, if you run the Windows 10 Mail program and add a Google account so as to be able to access your Google email using Windows 10 Mail, you’ll see the authentication dialog provide by Google, not the email program.

Adding Gmail to Mail

This “delegation” of the log-in step allows Google to ask you for your second factor.

In researching this article, I discovered Thunderbird also now does this, and I suspect that Microsoft Office’s Outlook will as well.

But that doesn’t help those of you clinging to Eudora, which is long out of support, or other email programs for which this approach is not an option.

For you, we need app passwords.

Generating an app password

I’ll use Google as my example, but many services that support two-factor authentication also support app passwords, including Microsoft.

Log in to your Google account normally — I’ll assume Gmail as a common starting point. Click on your account icon, and then click on My Account.

Google My Account button

On the resulting page (not shown) click on Sign-in & security. On the following page, scroll down until you find App passwords. Click on that.

The app passwords link

For security, you’ll be asked to confirm your password, after which you’ll be taken to a page listing any existing app passwords (you’ll likely have none at this point) and the ability to generate new ones.

Generate App Password dialog

The “Select app” and “Select device” dropdowns have some choices, as well as an option for a custom “Other”.

Select App

These items exist only to help you identify the app password you create sometime in the future. I’ll choose “Other” and enter “Eudora on my laptop”.

Click on Generate.

App password name

You’ll then be presented with the generated password.

Generated App Password

Copy this password someplace safe. This is the only time it will be displayed. You can copy/paste it somewhere if you like, or write it down. As soon as you leave this page, you will not be able to see it again.

You now have an app password for your account.

Using an app password

Using an app password is surprisingly simple.

When configuring your email program, or any other program incapable of supporting two-factor authentication, use this password instead of your “real” account password. Two-factor will not be required.

That’s all there is to it.

How can this possibly be secure?

We have a password that, when used, bypasses two-factor authentication. That might seem to invalidate two-factor all together, but it doesn’t. Your app password has several interesting characteristics that make it quite secure and useful, without compromising your account.

You use it in one and only one place. In our example above, I could use this password only in the configuration of Eudora, and only on my laptop. If I want to configure a different program, or one on a different device, I would generate a new app password for that specific purpose.

It can only be used for application login. You can’t log in using this password by entering it at the normal web-based account log-in screen.

It’s long and complex. It’s not a password that can be “guessed.”

You don’t need to remember it.  Once you configure your email program, there’s no need to remember the password or have it written down or saved anywhere. Should you find you do need a password for some reason, you can always generate a new app password.

You can revoke it without affecting your other passwords. When you finally stop using Eudora and no longer need the app password you generated just for it, you can revoke and invalidate the password.

I expect that some providers will subject logins using app passwords to even more scrutiny. For example, using your Eudora laptop app password to log in via a mobile phone could trigger additional account validation requests.

Adding app passwords ends up being a very secure way to use otherwise two-factor-incapable applications.

Revoking an app password

As I said, when you stop using the application for which you created a password, you can revoke and invalidate that password so it simply won’t work. You can also do this if you ever have any reason to believe that the password — in spite of all the attributes above — has somehow been compromised.

Return to the app-password-generation page we started with. This time your existing app password(s) will be listed.

Existing App Password

Click on the garbage can icon to the right of the password you wish to revoke, and it’ll be invalidated immediately.

Revoked!

This app password will no longer work.

Podcast audio

Play

4 comments on “I Enabled Two-Factor Authentication and Now My Email Program Can’t Log In”

  1. I have been using this for years with my Google mail account and an ancient edition of Microsoft Outlook, but I had never understood up to now why this was supposed to be secure. I imagine the answer is this : “It can only be used for application login. You can’t log in using this password by entering it at the normal web-based account log-in screen.”

    However, in all other regards, it’s worse, or not better (it seems to me), that my previous setup :

    “It’s long and complex.” Well, the password I had before was much longer and much more complex, because I had been using a password manager anyway.

    Likewise, the password manager already gave me all those advantages : “You use it in one and only one place”, “You don’t need to remember it”, “You can revoke it without affecting your other passwords”.

    I would like to ask confirmation for this : “I could use this password only in the configuration of Eudora, and only on my laptop.”

    Does this mean that if I install Thunderbird on my PC, and use the same Google app password than in Outlook, it will fail ? How does Google know that it’s Thunderbird calling, and not Outlook ? Likewise, I now use a desktop PC. How would Google know if I used a laptop, with the same program and the same app password, to access my account ?

    All in all, is my present pseudo 2FA setup more secure than not using an app password, but setting up in Outlook, say, a 60-character random and unique password using all available characters in Kee Pass, including non-ANSI ones people never use, which makes for a pretty robust password by itself ?

    How if a hacker tried to use a mail client program to break into a Google account protected by an app password ? How would this be more difficult than trying to hack the Web interface ?

    Reply
    • It means exactly that. It will only work on that particular installation of Eudora (or whichever program you use it for).

      Reply
      • That’s actually not true as I understand it. If you took the time to save the password elsewhere, you could use it on any email program from that same computer.

        Reply
    • As I said in the article my suspicion is that Google places more security scrutiny on logins with app passwords. No, they can’t tell the difference between Outlook and Eudora, and the same password would likely work in both places, but they COULD tell the difference between one location and another, or seeing it from two different locations at the same time (you and the hacker), and consider that EXTREMELY unlikely to be a legitimate use of an app password.

      If a hacker DOES get your app password, and none of the red flags get tripped all he has access to is your email. He can’t, for example, change your password as he could on the web interface. He can’t do much of anything other than get your email or send on your behalf. And as soon as you revoke the app password hes out.

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.