Thunderbird storing Google verification codes?
Hello
I've been setting up Thunderbird on MacOS. I was adding few Gmail accounts. Every account was using 2FA so I had to enter new verification code each time. When I was adding 3rd or 4th account and was entering Google verification code into the form it suggested one of the codes I used before. Codes had same first two numbers so I guess I know why this form suggested one of the old codes but where does Thunderbird store these codes? I've deleted search history and cache in Thunderbird and attempted adding another gmail account but this time when I was asked for 2FA code I started with older verification codes and this form remembered all of them. Is there a way to remove them? Where does Thunderbird store these codes?
Thanks for any suggestions
Все ответы (3)
why are you not using oauth authentication with gmail? It is their preferred authentication method for mail clients and involved no chellenges once it is setup until google decided the tokens need a refresh. Quite common for those using VPN's and roaming all over the world. For those connecting from the same IP range week after week you might go years without google deciding on a reauthentication.
See https://support.mozilla.org/en-US/kb/password-manager-remember-delete-change-tb
Matt said
why are you not using oauth authentication with gmail?
You didn't understand me correctly. I'am using oauth.
I got a new macbook and I was setting up Thunderbird that I've freshly installed on it. Fresh installation of everytning... no backups. I had to log in to my gmail accounts and part of it was inputting a verification code which I got by text. When I was entering this code for 2nd, 3rd etc. account I was getting suggestions(dropdown menu) with codes that I have entered before for previous accounts. I was(still am) curious where and why does Thunderbird remember those one time codes?
re :When I was entering this code for 2nd, 3rd etc. account I was getting suggestions(dropdown menu) with codes that I have entered before for previous accounts.
I was under the impression it was google who were asking for them to be entered. Originally, Authentication Method was 'Normal Password' and you entered a normal password. Then gmail said Authentication Method was 'Normal Password' and you needed to switch on 2FA and use an app generated password instead of Normal Password. This is still an option that's available but why use it when Oauth is now an option. That app specific/generated password is stored in the same location as all passwords and/or oauth tokens.
Gmail then wanted to use Oauth, so Thunderbird adapted. Now, Authentication Method is set up as Oauth2 and the Oauth token is set up and stored by Thunderbird when you state to allow Thunderbird access to the gmail server. Thunderbird then uses the Oauth2 token. But once Oauth was available you could switch off gmail 2FA and not use an app generated password.
But I believe the one time 2SA (2 step verification) is Google adding a second level of security (albeit with a warning that texts maybe vulnerable to hacks) and I thought was just asked for by Google for verification that you really are you and you enter that 6 digit code into a Google sign in window. It is not required by Thunderbird itself as it will use the oauth token nor is it stored by Thunderbird.
Google say: Use a verification code from a text message or call A 6-digit code is sent to a number you’ve previously provided. Codes can be sent in a text message or a voice call, which depends on the setting you chose. To verify it’s you, enter the code on the sign-in screen. Tip: Although any form of 2-Step Verification adds account security, verification codes sent by texts or calls can be vulnerable to phone number-based hacks.
Для ответа на сообщения вы должны войти в свою учётную запись. Пожалуйста, задайте новый вопрос, если у вас ещё нет учётной записи.