most folks use oAth credentials rather than the rather inconvenient and cumbersome app password route.

I am assuming that the "open a web page with Google login" is an oauth login process, once completed a token is created that Thunderbird and Google use for a very long time. around six months I understand.

Thanks. I need to look into oAth. To put this in context my missus has continual problems with her Gmail account being blocked as suspected unauthorised access. You maybe know what I mean, "Sign-in attempt was blocked. Someone just used your password to try to sign in to your account from a non-Google app.".

Google suggested 2-step and App Passwords as the solution, although they couldn't really explain why the problem kept recurring.

oAth may do the trick, if it only needs to be refreshed every six months or so that might be acceptable. Do you happen to know if it can be made to work with an iPhone as well?

On the otherhand App Passwords is what we use with Office 365 for some customers and it seems to work well enough in that context.

Thanks, Tony S

Authentication Method: OAuth2 This works with Imap accounts.

Cheers. Do I have to specifically tell Thunderbird it's OAuth2, or does it work it out for itself?

If you were creating a new imap gmail account then Thunderbird usually auto creates an imap account set up to use OAuth2.

Suggest you logon to webmail and remove the Two step authentication as you are no longer going to need it.

In Thunderbird If you have an account created already that is not using it, then you have to select it.

• Right click on gmail imap mail account name in Folder Pane and select 'Settings'
• select 'Server Settings'
• Under 'Authentication Method' change to 'OAuth2'

then change the outgoing server info.

• In left pane at the bottom select 'Outgoing server (SMTP)'
• select the name of the gmail server
• click on 'Edit'
• Alter the Authentication Method to say 'OAuth2'
• click on OK

• click on OK

Restart Thunderbird. Gmail will then ask you to logon to confirm you really are you. Logon using normal password.

Gmail will then add a token into Thunderbird, stored in same place as saved passwords. From then onwards gmail will use that token instead of the normal password. You will not need to enter passwords.

Thanks a million. I think it's starting to work now. I just fired up Thunderbird from cold and looked at the account properties, Authentication Method has changed to OAuth2 both under Server Settings and Outgoing SMTP.

Would it be reasonable to conclude that setting 2-step has forced this change, while the process you've described would set it manually?

The setting toad told you to change made the change. It had nothing to do with Google.

BTW you might want to look at your anti virus product. Some offer a VPN service that they will tell you makes everything so much more secure. but VPN's have a habit of masking your location. Very popular with some folks that like to watch US TV shows when they are not in the US etc. Services like google that are looking for weird changes in location end up blocking their users, because they are logging in from all over the world. Australia one minute, the US a minute later etc.

Sorry I maybe wasn't clear. When I checked I found it was already set to OAuth2, I didn't need to make the change. Now I think about it maybe that's Thunderbird's default now for Gmail, because when I setup the account on that installation I selected Gmail specifically.

Just for my research I'll try another installation specifying generic IMAP and see if the App Password works in that context.

To complete the picture I did just that, on a new Thunderbird install I set up the same Gmail account but manually configuring it as a generic IMAP. In that context the App Password works.

The only further think to add is that I'm not sure about the suggestion to remove the 2-step verification. The whole point here is to make sure that nobody can access the account simply by knowing the password.

If you are using 'Authentication Method: OAuth2', then you would not need the app specific password as gmail would use a token it applies and it uses token (a load of numbers and letters like a complicated password) instead of normal password. In this case you need to stop the two step verification.

If using 'Authentication Method: Normal Password' and you have set up to use two step verification, then you would use the app specific password instead of Normal Password. In this case you would need to keep the two step verification.

Sorry to harp on but I still don't see why two step should be disabled when using OAuth2. I can see why from one point of view it's not needed, but if the original point is to prevent access to the account solely by password, then surely it's needed for that reason even if Oauth2 doesn't require it.