Andrew McGlashan <andrew.mcglashan@affinityvision.com.au> writes:
Application passwords were, arguably, less secure than what you could actually use as a password and you lost the 2FA aspect of the login. So, lots of room for improvement.
No, not really. e.g. if you look at the getmail implementation, it is still just storing a secret (token) stored on the filesystem that is completely usable without any 2FA. You do need 2FA to obtain the original token (just like you need 2FA to obtain an application specific password), but once you have that there is no need for 2FA anymore. Actually, two secrets now, because we also need to store an application secret too. On the plus side, this token does expire, and needs to be regularly renewed. Plus the secret is very much restricted in what it can do. So I believe somebody stealing my mail credentials can't tamper with my Google drive for example. On the negative side however, it means getmail's gnomekeyring (lets pretend it isn't already broken) does not work anymore, and secrets need to be in the file system in a place accessible by all applications. I suspect the need to register the application (to obtain the oauth application credentials) with Google might have implications for open source software, especially if you don't have domain admin rights (e.g. workplace domain). Although I might be wrong here. It is possible to register an OAuth application in Google that works across multiple domains, however that appears to require a manual approval process, and I am a bit suspicious (???) this might not be an option for open source applications. -- Brian May <brian@linuxpenguins.xyz> https://linuxpenguins.xyz/brian/