[Users] Can't login to my GMail IMAP acct

Little Girl littlergirl at gmail.com
Fri Jun 10 12:49:48 CET 2022 

Hey there,

Ralf Mardorf via Users wrote:
>Little Girl wrote:

>>Duo or Microsoft Authenticator

>when I decided to install authentication apps for testing purpose on
>my iPads I cared for privacy. That said, I'm completely against this
>insane kind of authentication. However, if people should consider
>this multi-factor idea as a secure solution, then I wonder why people
>consider it secure, to allow companies to collect data. There's not
>only no need for an authentication app to collect data, the data
>mining also makes authentication apps insecure.

This is a whole separate topic that's probably worthy of its own
thread.

>I didn't wasted any time in verifying the claims made for the apps
>OTP Auth and SAASPASS, nor have I done any research about the
>authors. If somebody wants to use those apps I recommend to do what
>I've not done. However, if it should be the truth that both apps
>don't collect data, there should be no doubts to prefer these apps
>over Microsoft Authenticator and Duo Mobile.

You're right that security is a decision we should each research and
decide upon for ourselves. To keep this in perspective, though, this
particular discussion is for setting up Claws Mail to use OAuth2 (or
an App Password) for use with Gmail, so we're not necessarily
building this additional layer of security on top of an
already-secure foundation. It's more like we're very carefully
playing Jenga.

That said, my network engineer recommended the two phone apps that I
used as examples and gave his reasons for the recommendations. I
decided to choose Duo Mobile since it's made by Cisco and they're
trusted to manage the connectivity and cyber-security for governments
and enterprise-level businesses and organizations the world over,
which I find rather comforting. I'm somewhat biased in their favor,
though, because I happen to be taking one of their cybersecurity
courses at the moment.

In case you had missed it, my message had also listed the open-source
oathtool package mentioned by Leon Fisk in here as an alternative
that can be used on a GNU/Linux computer instead of using a phone app
or other method. That program has been around since 2009. You might
want to poke around in its source code to see if you'd find it to be
a reliable, non-invasive tool for doing authentications:

https://gitlab.com/oath-toolkit/oath-toolkit

-- 
Little Girl

There is no spoon.

More information about the Users mailing list