OK, I made a test Google account, and set up two-factor authentication. In Google, I created an app password for "mail" on "Windows computer". Same problem. Thunderbird asks for the the password, and when I use the app password, it gives a red message: "Try again with your Google Account password". I use the actual Google password, it sends the verification text, that gets me to the page asking to allow T-bird access to Google, I click "Allow" and the window appears and nothing happens. In T-bird I have used "advanced settings" to force account creation and have set it up to not check mail unless I "get mail". Clicking on the "Get mail" launches me into this dead end, where the window in Thunderbird is obviously connected to the Gmail server, and has obviously gotten to the point of telling Google account I want access, but when I hit "Allow" the window disappears and I am right back in the inbox with no mail downloaded.

This time I tried all this with my Firefox browser logged out of the Google account, and it did not matter, same dead-end problem.

Use the account password in the OAuth window when asked to allow TB access, not an app password. Check that POP is enabled in gmail webmail settings. Disable a VPN if you have one.

@sfhowes thanks so much for your help. I did learn about enabling Pop in Gmail, I forgot about that in my new test account. No VPN or virus software running. A person responded on my Gmail forum question: https://support.google.com/mail/thread/153536397 And I changed the account setting from Oauth2 to Normal Password, and dang, the mails came down. I am not sure Gmail will still support app passwords after May 20 2022, when they say they will stop simple password access to third-party apps. That is why I started trying to get emails from a Google account with two-factor authentication (2FA).

I also had an issue with a T-bird error message since it takes so long to do 2FA: "Connection to server pop.gmail.com timed out." So: Thunderbird>Tools>Preferences>General>Config Editor (bottom right way down)>mailnews.tcptimeout = 200 (was 100) I restarted Thunderbird a few times, and this was after today's latest update to 91.6.2 (64-bit)

Oh, I learned about the Error Console at Thunderbird>Tools>Developer Tools>Error Console The image is what I got after trying both the 2FA accounts when Thunderbird still was set to Oauth2 authentication:

I was sending from T-bird and is showed sent, but never appeared at the destination. Turns out I had the outgoing server settings bad, now I can send mail with the same trick- using "Normal Password" and the app password I made in the Google account.

Check again that you have pop.gmail.com on 995 and smtp.gmail.com on port 465, and for both servers SSL/TLS security, OAuth2 authentication, User Name = email address. Cookies must be accepted in TB Preferences. Enter the account password in the OAuth window. If you have the POP account set up on other computers or in other desktop mail apps, you must use 'recent mode'.

@sfhowes, thanks for the advice. I had 995 and SSL/TLS with OAuth2. They only thing I could try was changing my server settings email to recent:xxxx@gmail.com and checking the "Leave messages on server". Same behavior, I get all the way to the Google window in T-bird asking me to allow access, and when I click "Allow" poof, the window disappears, but nothing happens.

My profile is 20 years old, and located on my NAS, so I created a new local C: drive profile just for this. I am using latest T-Bird, 91.6.2 (64-bit). The Gmail account is new, and I have allowed cookies in Thunderbird and allowed POP access in Gmail. I can access the GMail account with "normal password" in Thunderbird and using an app password for mail generated in the Google account. I don't know if Google will support app passwords after May 20 2022. https://support.google.com/accounts/answer/6010255 I am a professional technical writer, and this Google notice is horrible. They say they will turn off "less secure app access" after May 20 2022, but don't say if I can turn it back on. They don't say if they will still support app passwords after May 20. I suspect they will, so I will have to convert my three Gmail accounts to 2FA, and make app passwords for them. That is not a killer, it is what I have done with this test Google account and test T-bird profile. The GMail forum thinks there is something wrong with T-bird, and I do get messages in my T-bird Error Console, see image.

It sounds like you and others can get the OAuth2 login to work in T-bird, so now I suspect maybe the thing to do is a virgin install of a second Thunderbird and see if that gives me 2FA access to Google. I might also try it on a Win10 box, this one is Win7 and staying that way. Thing is, 2FA requires getting text messages on a cell phone I never use, and is a real pain, so I actually prefer the app password method. I just hope it still works after May 20 2022.

Meanwhile, while I was playing with this, it only increased my admiration and understanding of Thunderbird. I am also looking at using MailDir to store mails. That has been a blast, and it seems to work fine, once I managed to get Local Folders set up for MailDir.

What's the antivirus? Some of them can interfere with authentication over secure connections.

https://support.mozilla.org/en-US/questions/1369824

I am not running any antivirus, at least I don't think so, the Win7 security panel says "Currently not monitored," but I did find Windows Defender Real-time protection was set to "on" so I turned that off, and still the same behavior.

I thought it might be my User Account Controls. I remember much hell getting my NAS connected, and messing with UAC. This was in 2016 when I put a SSD drive in the laptop with a virgin install of Win7. I just checked and it is set to "Never Notify".

I will do a reboot and see if things change, and then fire up T-bird on my Win10 box and see if that install will let me do an OAuth2 log-in to my test Google account.

Also, all my worries are much ado about nothing. I re-parsed the Google announcement about turning off less secure access on May 20, 2022. https://support.google.com/accounts/answer/6010255 Hidden under the carat. "If "Less secure app access" is off for your account" is the text, "If 'Less secure app access' is turned off for your account, you can turn it back on. We recommend switching to more secure apps instead."

Oh, so after Google changes my account setting, I can just change it back, and Thunderbird will work the way it always has? Sheesh.

OK, problem solved. I did a virgin install of Thunderbird 91.6.2 (64-bit) on my Win10 box. I not only removed the existing install, I went into App Data and erased the T-bird profiles that were still there. I did not go so far as to delete stuff from the registry. I made a new profile for my two-factor authorization test Google account. I set it up for POP, and made sure the server settings had OAuth2 verification. Like on the Win7 box, doing a "Get messages" on the account opened a window in Thunderbird with my email address as a username. Clicking through this, it then asked for the password. I gave it the Google account password, not the app password I generated in the Google account previously. It came up with the same screen asking me to allow access to the Google account. I hit "Allow" and this time instead of poofing away and nothing, it gave an info screen saying I was hooked up. After that, doing a "Get Messages" did get the messages.

Oh, wait, let's try a send... yeah, the outgoing server being OAuth2 also works, I can send and receive mail. But this is device dependent. So my Win7 install still cannot use OAuth2 2FA to connect. Not sure if this is because my install on that box is so old and convoluted, or if it is inherent in Win7. Even that virgin install in Win10 generates errors in the Error Console. At least it works over there. I will experiment with re-installing T-bird on the Win7 box and see if I can get it working. If so, I will post it here. I did make sure Windows Defender real-time and Windows Firewall were both turned off. My user account controls are set to zero as well. I didn't change any virus or firewall settings on the Win10 box.

In review: On May 20, 2022 Google robots will turn off "Less secure access" to all Google accounts not using two-factor authorization (2FA), called 2-Step Verification by Google, who, like Sun and Microsoft, just have to be different. At that time, you can log into your Google account via the web and just turn it back on. You can also enable 2FA, and then there are two ways to let T-bird or Outlook get your mail: 1) In Google account>Security create an app password for mail. Set T-bird server settings to "Normal Password". Same for outgoing SMTP server. Use the app password, not your Google account password. 2) Use the 2FA native capability in Thunderbird to connect to your Google account. Set T-bird server settings to OAuth2 verification, same for outgoing server. Connecting requires entering your Google account password, and then either receive a text or phone call or use a hardware USB dongle with a verification code. This is "remembered" by T-bird, so you don't have to do it every time.

Interesting security philosophy. My Google account password is longer than the app password that Google generates. So my "insecure access" is actually more secure in that sense. However, Google "knows" the password it generated, so maybe they feel it is more secure, not less. At least I know I can still get my emails after May 20.

OK, April 7 around 7:00PM, and a Thunderbird update 91.8.0 (64-bit) turned on the OAuth2 login for my three Google email accounts. As before, on this Win7 box with an old old Thunderbird profile, the OAuth2 login simply does not work. Changing the Thunderbird account settings for "server" to logon "Normal password" got my mail coming in again. This will only work until May 20, 2022, when Google turns off "insecure access".

What is horrifying, the Google alert that announces they will not let third party apps access Gmail will not be available at all after May 20. Their poorly-worded announcement let me think they were just going to turn everybody off and let those of us that need it turn it back on. So the only way to pop my Gmail into Thunderbird on Win7 with this old profile will be to turn on 2-factor authentication on the Google account, and then create an app password for Thunderbird. I practiced that with a dummy Google account last month so that should be OK. The headache will be when I want to use Google Voice for something, I will have to get a phone call or text to log into my Google account. This is pathetic. My 15-character passwords are so hard to crack, and are different for all my accounts.

I was able to use OAuth2 login for my Win10 box and a much simpler profile. I guess I have a month to try a new profile with-- wait, I can do that now, hang on-- no, even with a near-virgin profile, in Tbird 91.8.0 (64-bit) OAuth simply does not work in Win 7. It gets all the way to the Google page saying Tbird wants to access the Gmail account, and when I click "Allow" it just closes the window and nothing happens. Doing a "Get messages" just puts me back into the OAuth2 loop.

The error console: NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] 6 OAuth2.jsm:171 TypeError: PopupNotifications is undefined LoginManagerPrompter.jsm:776:24 NS_ERROR_XPC_JAVASCRIPT_ERROR_WITH_DETAILS: [JavaScript Error: "PopupNotifications is undefined" {file: "resource://gre/modules/LoginManagerPrompter.jsm" line: 776}]'[JavaScript Error: "PopupNotifications is undefined" {file: "resource://gre/modules/LoginManagerPrompter.jsm" line: 776}]' when calling method: [nsILoginManagerPrompter::promptToSavePassword] LoginManagerParent.jsm:1018 NS_ERROR_NOT_IMPLEMENTED: Component returned failure code: 0x80004001 (NS_ERROR_NOT_IMPLEMENTED) [nsIRequest.name] 11 OAuth2.jsm:171 gloda.index_msg: Exception while attempting to mark message with gloda state afterdb commit Exception { name: "NS_ERROR_ILLEGAL_VALUE", message: "Component returned failure code: 0x80070057 (NS_ERROR_ILLEGAL_VALUE) [nsIMsgDBHdr.getUint32Property]", result: 2147942487, filename: "resource:///modules/gloda/IndexMsg.jsm", lineNumber: 151, columnNumber: 0, data: null, stack: "_commitCallback@resource:///modules/gloda/IndexMsg.jsm:151:33\nhandleCompletion@resource:///modules/gloda/GlodaDatastore.jsm:64:11\n", location: XPCWrappedNative_NoHelper } I