It’s no surprise, really, but most software (like desktop email programs) has no way to ask for, or enter, a second factor if your account is configured to require one.
If you use such a program, you’re not stuck. In addition to two-factor authentication, the industry has a pseudo-standard solution for just this scenario.
It’s called an application-specific password, or “app password”.
Become a Patron of Ask Leo! and go ad-free!
Some programs just work
Before I show you how to create and use an app password, I need to point out that some popular programs are being updated to use slightly different authentication techniques that actually do allow two-factor authentication to work as advertised.
For example, if you run the Windows 10 Mail program and add a Google account so as to be able to access your Google email using Windows 10 Mail, you’ll see the authentication dialog provide by Google, not the email program.
This “delegation” of the log-in step allows Google to ask you for your second factor.
In researching this article, I discovered Thunderbird also now does this, and I suspect that Microsoft Office’s Outlook will as well.
But that doesn’t help those of you clinging to Eudora, which is long out of support, or other email programs for which this approach is not an option.
For you, we need app passwords.
Generating an app password
I’ll use Google as my example, but many services that support two-factor authentication also support app passwords, including Microsoft.
Log in to your Google account normally — I’ll assume Gmail as a common starting point. Click on your account icon, and then click on My Account.
On the resulting page (not shown) click on Sign-in & security. On the following page, scroll down until you find App passwords. Click on that.
For security, you’ll be asked to confirm your password, after which you’ll be taken to a page listing any existing app passwords (you’ll likely have none at this point) and the ability to generate new ones.
The “Select app” and “Select device” dropdowns have some choices, as well as an option for a custom “Other”.
These items exist only to help you identify the app password you create sometime in the future. I’ll choose “Other” and enter “Eudora on my laptop”.
Click on Generate.
You’ll then be presented with the generated password.
Copy this password someplace safe. This is the only time it will be displayed. You can copy/paste it somewhere if you like, or write it down. As soon as you leave this page, you will not be able to see it again.
You now have an app password for your account.
Using an app password
Using an app password is surprisingly simple.
When configuring your email program, or any other program incapable of supporting two-factor authentication, use this password instead of your “real” account password. Two-factor will not be required.
That’s all there is to it.
How can this possibly be secure?
We have a password that, when used, bypasses two-factor authentication. That might seem to invalidate two-factor all together, but it doesn’t. Your app password has several interesting characteristics that make it quite secure and useful, without compromising your account.
You use it in one and only one place. In our example above, I could use this password only in the configuration of Eudora, and only on my laptop. If I want to configure a different program, or one on a different device, I would generate a new app password for that specific purpose.
It can only be used for application login. You can’t log in using this password by entering it at the normal web-based account log-in screen.
It’s long and complex. It’s not a password that can be “guessed.”
You don’t need to remember it. Once you configure your email program, there’s no need to remember the password or have it written down or saved anywhere. Should you find you do need a password for some reason, you can always generate a new app password.
You can revoke it without affecting your other passwords. When you finally stop using Eudora and no longer need the app password you generated just for it, you can revoke and invalidate the password.
I expect that some providers will subject logins using app passwords to even more scrutiny. For example, using your Eudora laptop app password to log in via a mobile phone could trigger additional account validation requests.
Adding app passwords ends up being a very secure way to use otherwise two-factor-incapable applications.
Revoking an app password
As I said, when you stop using the application for which you created a password, you can revoke and invalidate that password so it simply won’t work. You can also do this if you ever have any reason to believe that the password — in spite of all the attributes above — has somehow been compromised.
Return to the app-password-generation page we started with. This time your existing app password(s) will be listed.
Click on the garbage can icon to the right of the password you wish to revoke, and it’ll be invalidated immediately.
This app password will no longer work.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!