Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

If you use a client like mutt to access your mail, you probably know that it doe

ID: 660757 • Letter: I

Question

If you use a client like mutt to access your mail, you probably know that it doesn't support 2-factor authentication. It still prompts only for a password - either your account password or, in the case of Gmail, possibly your application-specific Gmail password.

My concern is that attackers can work around Gmail's 2-factor authentication by logging in through a client like mutt. While we can set application-specific passwords, we can't do that for every single client that exists, right? And yes, if someone has one's password, then the game is already over; but 2-factor is supposed to be an additional line of defense, and this appears to undermine that additional defense.

Is this a real threat? What is the recommended way of dealing with it?

Explanation / Answer

Application-specific passwords are the only workaround currently provided for applications which don't support two-factor authentication to Google. This does effectively bypass two-factor authentication, but only to a certain degree.

Obviously, the primary risk is that a compromised application-specific password can be used to access your account without requiring a second factor for authentication. Google provides a certain amount of mitigation to this risk by making the passwords much stronger than the typical user-generated password, and also by only displaying a given app-specific password once.

You should also be mitigating this by ensuring security of the environment where the app-specific password is displayed and stored, only using a given app-specific password once, and never copying an app-specific password to any location except in the password field for the application that needs it. Also, as always, don't use the application on networks that you don't trust.

You should also take advantage of the mechanisms Google provides for managing and monitoring app-specific passwords. Particularly:

In the end, creation of an app-specific password effectively requires that you accept the risk of allowing that application to have permissions to your account without a second authentication factor.

Related Questions

If you use Firefox, navigate to www.google.com (Links to an external site.) and
Question #3817031
If you use a .05 level of significance in a? two-tail hypothesis? test, what dec
Question #2907856
If you use a 0.01 level of significance in a (two-tail) hypothesis test, the dec
Question #3008047
If you use a 0.015 level of significance in a (two-tail) hypothesis test, what i
Question #3234371
If you use a 0.015 level of significance in a (two-tail) hypothesis test, what i
Question #3249085
If you use a 0.05 level of significance in a (two-tail) hypothesis test, what wi
Question #3041121
If you use a 0.05 level of significance in a (two-tail) hypothesis test, what wi
Question #3045860
If you use a 0.05 level of significance in a (two-tail) hypothesis test, what wi
Question #3135521

Navigate

Previous
If you use a 0.100.10 level of significance in a (two-tail) hypothesis test, wha
Next
If you use a concrete floor as your thermal mass, how much is needed? If all the