Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

AT&T email technical support team tells me that Thunderbird (even 68) is not yet compatible with the oauth password security soon required..

  • 9 replies
  • 2 have this problem
  • 4 views
  • Last reply by wmem

more options

I assume this to be true since I spent the afternoon going up three levels of *escalation* on a live call to get the answer from them.

My questions are: 1) Why would Thunderbird not yet (September, 2019) be compatible with the oauth password security system required by a major US email provider? When, if ever, is this omission going to be addressed and included.

Using the only available workaround they offer for non-compliant insecure email clients, called a *secure mail key,* is not really a very modern solution to an internal inherent security flaw in a software program.

I assume this to be true since I spent the afternoon going up three levels of *escalation* on a live call to get the answer from them. My questions are: 1) Why would Thunderbird not yet (September, 2019) be compatible with the oauth password security system required by a major US email provider? When, if ever, is this omission going to be addressed and included. Using the only available workaround they offer for non-compliant insecure email clients, called a *secure mail key,* is not really a very modern solution to an internal inherent security flaw in a software program.

Chosen solution

Perhaps you could ask ATT what their oAuth private key is. Thunderbird can not support oAuth for ATT because they don't have a key. They think the Yahoo one should be used. Except yahoo begs to differ.

So the Thunderbird folks are between a rock and a hard place. Thunderbird can not implement the mess they are making because it breaks the oAuth standard, or at least hat was what the Yahoo reps said when we implemented Yahoo.

So back to ATT


In the mean time use a secure mail key using the instructions from the ATT web site here which I have copied below.

Learn how to create a secure mail key from your mobile device, tablet, or computer. Have your User ID and password ready to sign in to myAT&T.

  • Go to Profile > Sign-in info.
  • Select the email account that you want to get a secure mail key for. (You’ll find a drop-down menu at the top if you have multiple accounts.)
  • Scroll to Secure mail key and select Manage secure mail key.
  • If you have more than one email address, select the one you want to use.
  • Select Add secure mail key.
  • Enter a nickname for the secure mail key to make it easier to recognize.
  • Select Create secure mail key.
  • Select Copy secure mail key to clipboard. (Jot down your secure mail key, so you have it handy if you have to update an email app on several devices.)
  • For security purposes, the secure mail key only shows until you select OK.
  • If you lose or forget the secure mail key, you can create new secure mail keys as needed.
  • Select OK.
  • Go to your preferred email app and replace the existing password with your secure mail key. (For an IMAP account, delete the existing password for both the IMAP and SMTP servers and replace them with your secure mail key.)
Read this answer in context 👍 2

All Replies (9)

more options

Chosen Solution

Perhaps you could ask ATT what their oAuth private key is. Thunderbird can not support oAuth for ATT because they don't have a key. They think the Yahoo one should be used. Except yahoo begs to differ.

So the Thunderbird folks are between a rock and a hard place. Thunderbird can not implement the mess they are making because it breaks the oAuth standard, or at least hat was what the Yahoo reps said when we implemented Yahoo.

So back to ATT


In the mean time use a secure mail key using the instructions from the ATT web site here which I have copied below.

Learn how to create a secure mail key from your mobile device, tablet, or computer. Have your User ID and password ready to sign in to myAT&T.

  • Go to Profile > Sign-in info.
  • Select the email account that you want to get a secure mail key for. (You’ll find a drop-down menu at the top if you have multiple accounts.)
  • Scroll to Secure mail key and select Manage secure mail key.
  • If you have more than one email address, select the one you want to use.
  • Select Add secure mail key.
  • Enter a nickname for the secure mail key to make it easier to recognize.
  • Select Create secure mail key.
  • Select Copy secure mail key to clipboard. (Jot down your secure mail key, so you have it handy if you have to update an email app on several devices.)
  • For security purposes, the secure mail key only shows until you select OK.
  • If you lose or forget the secure mail key, you can create new secure mail keys as needed.
  • Select OK.
  • Go to your preferred email app and replace the existing password with your secure mail key. (For an IMAP account, delete the existing password for both the IMAP and SMTP servers and replace them with your secure mail key.)
more options

Thanks, Matt, at least the AT&T gang has now gone to all alpha from all numeric in their keys. That helps quite a bit.

You gave the only real explanation of this situation available anywhere for the *ordinary* reader.

Thanks again.

more options

This works, however "Keeper" password manager rates the provided Oauth "Key" as poor

more options

mfraz2k said

This works, however "Keeper" password manager rates the provided Oauth "Key" as poor

I have never heard of keeper. But It is really irrelevant here anyway. ATT / Yahoo have a method. If you don't use it you use web mail. So if you really with to address the issue take it to ATT or Yahoo. This discussion is about fitting in with their demands, not about th security of what they demand.

But keep in mind that folks will also tell you not to write down your passwords. But at home, whom else but you is going to be seeing them? Burglars are not the kinds of people interested in your cyber security.

Yet others warn about the risks of opening a suspicious email. That was good advice 20 years ago when we were all using Microsoft outlook or outlook express and it excelled at executing the malware in the message body. Not so much now when products like Thunderbird do not execute scripts in the message body.

My point is the product might be offering good advice, or it might be offering advice that is biased to improving it's apparent usefulness. It might be repeating less correct information with an agenda. Anti virus products do it all the time.

In the end analysis. You either do it the ATT way or don't get your mail except in a web browser.

more options

After reading solutions from several different forums I discovered this: https://getmailspring.com/setup/access-att-net-via-imap-smtp.

Essentially, all I had to do was to change the AT&T servers to be the Yahoo servers. In the security settings I chose SSL/TLS and OAuth2.

The first time connecting, Yahoo propmted me for my AT&T username and password. I provided the information and received a confirmation email from Yahoo, indicating a new device had logged in. After that, Thunderbird is working as it used to, without the need for the secure mail key.

more options

BillMc said

Essentially, all I had to do was to change the AT&T servers to be the Yahoo servers. In the security settings I chose SSL/TLS and OAuth2.

It is such a shame ATT do not understand oAuth and don't get their own authentication key for oAth as Yahoo says they need to.

more options

What do you do when none of this works? I have att/yahoo mail and use thunderbird, have for many years. It's always worked until the 'secure mail key' update. I now haven't received my email for 6 days, I've updated the secure mail key, changed the password in thunderbird, spent hours on the phone with att. Maybe I'm not changing all the passwords I need to change but I can't find but one place to change the password. Do I need to change it for both inbound and outbound email? Where do I change the password other than the one place listed here? What about my yahoo password that I used before the secure mail key? Does it just go away? I still need it to get into yahoo. I'm lost and confused and can't figure out how to fix this.

more options

All att.net email users should have changed to yahoo mail server settings. att.net servers have had problems for multiple years.

The imap settings are:

Att.net (AT&T) IMAP Server imap.mail.yahoo.com IMAP port 993 IMAP security SSL / TLS

Att.net (AT&T) SMTP Server smtp.mail.yahoo.com SMTP port 465 SMTP security SSL / TLS

Select (right click) the email account,then "Settings" Choose "Server Settings", in "Security Settings" choose OAuth2 from the "Authentication method" drop down. Click OK

Click on "Get Messages" to activate a login attempt. You will be prompted to sign into your att account. Once completed, yahoo will send an email stating: "Your Yahoo account abcde@att.net was used to sign in to a new third party application on thunderbird.

This will complete the process.


Matt said

Perhaps you could ask ATT what their oAuth private key is. Thunderbird can not support oAuth for ATT because they don't have a key. They think the Yahoo one should be used. Except yahoo begs to differ. So the Thunderbird folks are between a rock and a hard place. Thunderbird can not implement the mess they are making because it breaks the oAuth standard, or at least hat was what the Yahoo reps said when we implemented Yahoo. So back to ATT In the mean time use a secure mail key using the instructions from the ATT web site here which I have copied below. Learn how to create a secure mail key from your mobile device, tablet, or computer. Have your User ID and password ready to sign in to myAT&T.
  • Go to Profile > Sign-in info.
  • Select the email account that you want to get a secure mail key for. (You’ll find a drop-down menu at the top if you have multiple accounts.)
  • Scroll to Secure mail key and select Manage secure mail key.
  • If you have more than one email address, select the one you want to use.
  • Select Add secure mail key.
  • Enter a nickname for the secure mail key to make it easier to recognize.
  • Select Create secure mail key.
  • Select Copy secure mail key to clipboard. (Jot down your secure mail key, so you have it handy if you have to update an email app on several devices.)
  • For security purposes, the secure mail key only shows until you select OK.
  • If you lose or forget the secure mail key, you can create new secure mail keys as needed.
  • Select OK.
  • Go to your preferred email app and replace the existing password with your secure mail key. (For an IMAP account, delete the existing password for both the IMAP and SMTP servers and replace them with your secure mail key.)
more options

I am still utilizing att.net server settings and have not had any issues to date. Was something changed in later releases of Thunderbird that negated this issue or has it just not caught up with me yet?