"To help keep your account secure, starting May 30, 2022, Google will no longer support the use of third-party apps or devices which ask you to sign in to your Google Account using only your username and password."
What does it have to do with phone numbers, you might think? Well, it's not that obvious.
I have beed using FairEmail app to read emails on my phone for many years. Recently, Google made this change, so I thought I need to take some actions to make sure I can continue using my favourite email app. After reading a bit, everything looked pretty simple:
- I could add my email account to my phone and login using google's native authentication methods, or
- «you can use an app password, please see below.»
Sure I don't want to add google's account to my phone just to be able to receive emails via IMAP, so I'll just generate separate app password for my email app, right?
Well, for some reason it's not possible to generate app passwords unless you have 2FA enabled. The option is just not there.
What can be simpler than adding 2FA to my account? I use password managers and my passwords are super strong, but I have no other choice, I'll have to use an authenticator app to continue reading emails on my phone, doesn't make much sense but anyway…
You can't just scan a QR with TOTP secret and enable 2FA for your account. Well, you can, after you enable 2FA by SMS using your phone number, or 2FA by notification on the phone, after you add google account to your phone. But using an authenticator is an «additional method» which is not available until «primary» 2FA method (SMS / phone number) is added. Oh, you can give away your phone number first, enable 2FA, after 2FA is already enabled you can remove 2FA by SMS and keep using authenticator app as your 2FA method, it's simple.
I guess I'll just have to stop using google. Thanks for making my life more difficult and caring about my security, Google.
TL:DR; You can't use «less secure» apps (apps other than official gmail app) to sync emails if you don't want to link your account to your phone number or add google account to your phone.
Here's a list of things that are wrong with what Google does:
- If you want to read your email, you have to use app specific password. I'm ok with that.
- You can't generate app specific passwords if you don't have 2FA enabled. That's some artificial limitation made to force you into adding phone number to your account.
- You can't use authenticator app to enable 2FA. I have no idea why SMS which is the least secure way to send information is a primary method and authenticator app which can be set up by scanning QR from the screen without sending any information at all is «secondary» and can only be used after you give your phone number.
- You can use «notification» to confirm it's you, but you can only do that on the phone. I'm currently logged in in my browser, certainly I could confirm any login attempt from that same browser, wouldn't that be a second factor?
- Nowhere in announcements or help pages or in the Google Account interface they tell you that you can't generate app passwords if you don't have 2FA. The button is just missing and you wouldn't even know it should be there unless you search on the internet.
- Nowhere they tell you the only way to enable 2FA is to link your account to your phone number or to your android/iphone device, the options are just not there.
All of this is just bizarre and ugly. I have no idea why other people are not complaining, probably most of them just accepted that and added phone numbers.