Opened 5 years ago

Closed 5 years ago

#6986 closed enhancement (fixed)

Set up two-factor auth and app-specific password for email registration helper

Reported by: dcf Owned by: dcf
Priority: Medium Milestone:
Component: Archived/Flashproxy Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Gmail has application-specific passwords that are intended to allow SMTP and IMAP programs to authenticate without using the main Gmail/Google Account password. For some reason, you can only set this up if you've enabled two-factor authentication.

We should do this because

  1. we can keep the master Gmail password offline, and only allow the facilitator access to IMAP under a different password. A breakin on the facilitator would not, for example, allow the intruder to set a new Gmail forwarding rule.
  2. We can revoke/rotate the IMAP password independently of the master Gmail password.

Child Tickets

Change History (3)

comment:1 Changed 5 years ago by dcf

Parent ID: #6383

comment:2 in reply to:  description Changed 5 years ago by dcf

Replying to dcf:

  1. we can keep the master Gmail password offline, and only allow the facilitator access to IMAP under a different password. A breakin on the facilitator would not, for example, allow the intruder to set a new Gmail forwarding rule.

I have tried setting this up, and now I'm not so sure that the application-specific password cannot be used to access the Google account. When I create the password, there is a notice:

"Note that this password grants complete access to your Google Account."

On the other hand, when I try to use that password to log in to Gmail with a web browser, it fails with the message

"Please use your account password instead of an application-specific password."

So I don't know exactly what the privileges are of this password. I think that having an application-specific password is good for security, even if it turns out to be root-equivalent and bypass SMS verification, because

  1. We can in the worst case completely delete the account using the master password, if the account is compromised.
  2. We can in theory detect when the application-specific password has been unauthorizedly used by examining the "recent activity" page in Gmail.

comment:3 Changed 5 years ago by dcf

Resolution: fixed
Status: newclosed

This is set up now. I bought a new prepaid phone, not used for any other purpose, and associated it with two new accounts. I didn't try making any more. The flashproxy-client programs are now configured to use one of the two-factor accounts.

Note: See TracTickets for help on using tickets.