Here is Microsoft take on an app password https://support.microsoft.com/en-au/account-billing/how-to-get-and-use-app-passwords-5896ed9b-4263-e681-128a-a6f2979a7944

Here is Googles approach https://support.google.com/accounts/answer/185833?hl=en ohh and Apple have their own ideas https://support.apple.com/en-au/102654

Each of these articles talks about the password being for an app, not specifically a device. And in most cases spoofing the app in the user agent string is simple enough a preschooler could manage it. But that not withstanding an app password is not particularly secure, just convenient

Perhaps read up on the oauth protocol. See https://oauth.net/2/ there is no need to make assumptions, as an open protocol sponsored by the IETF it is fully documented. You can not say that about your application passwords.

Instead of asking if you can disable oauth in Thunderbird perhaps ask the more pertinent and valid question. Can you continue to authenticate with your chosen platform without it? Most of the big providers are in the process of removing app passwords as an option. What authentication Thunderbird uses is driven almost entirely by the methods providers will accept going forward rather than some arbitrary decision made by the Thunderbird developers. Thunderbird supports a simple password, but very few providers will allow connection using that standard any longer.

Actually I didn't plan to become a specialist in what the oauth is doing in detail or not. Of course if everyone just reads everything which is possibly out there, we wouldn't even need forums anymore.

Beside that: I really do not care much what microsoft or any other big company is doing. A lot of their ideas are a good reason that I'm mainly a linux user.

I just noticed that this app aproach is not helping in maintaing effectively more than one or two oauth records you might have at an email provider with thunderbird. And if you can spoof the name of an oauth record is completely irrelevant here: If I'm not even able to determine to what installation of thunderbird my own currently 11 items in the oauth list at my mail provider belongs to, the option that a naming of an oauth record could be potentially spoofed is the least of my concerns.

But thanks for your reply anyway.

> Is there a way to switch OAuth off in thunderbird, until it becomes more useable in >1 device setups?

Oauth is the preferred choice of your provider, so you can't change the default. But when you add an account to Thunderbird, you can manually change the authentication method in Thunderbird.

Unfortunately it looks like that the authentication method in thunderbird only applies to the mailbox (imap in this case) itself. carddav and caldav thunderbird seems to handle differently and on top each one reacts differently when setting up an account. When configuring a calendar, thunderbird falls at least back to application password after closing the oauth window for 3 times. With carddav for some reason it keeps its patronizing oauth behavior, no matter what. Even eliminating the provider record from OAuth2Providers.sys.mjs and disabling mailnews.auto_config.fetchFromISP.enabled, mailnews.auto_config.guess.enabled and setting mailnews.auto_config_url to local doesn't change that weird behavior. (yes, I've deleted cache before restarting)

Does anyone know how to circumvent that in thunderbird carddav? I don't want to have to fall back to add-ons again only because thunderbird believes it is a good idea to randomly dictate how I have to connect to my mail/caldav/carddav provider. I get it that probably most of the users have exactly one laptop or computer and do not even understand the issue here, but in case you have maybe 3-4 or more devices you should have a look at your mail provider webgui screens and will be surprised about a chaotic endless list of oauth records which are all looking the same, where you would not even see, if all these are created by yourself or are still for devices you do not even have anymore etc.