[kwlug-disc] Google with TOTP

Khalid Baheyeldin kb at 2bits.com
Sat Jun 18 13:19:11 EDT 2022


Chris, thanks for all the explanations. They are indeed helpful.

The "out on the walk" scenario is not a practical concern for me.
My concern was if SMS is used, then the phone itself is a weak link in the
security chain,
and as I said, I know someone who was the victim of identity theft because
someone
was able to do a SIM swap on him TWICE.

The other concern is that I sometimes travel to Egypt, where it makes sense
to get
a local SIM card and a local card for various reasons. The issue is when I
do that,
I am locked out of my Canadian number and it can't be used for 2FA.

What you said after makes this a non issue once I have gone past the "SMS
as 2nd factor"
hurdle.

Back to XOauth2. The program that Akkana Peck (Shallow Sky) wrote, works
well, but
after a week, Google returns an HTTP 400 error, forcing you to generate a
new token.
That is not a practical solution then for getmail running on a server. If
it was every,
say, six months, then it is not too bad. But every week is painful.

That leaves app passwords as the other practical way for a server
application. How
often do these need to be refreshed? If it is also a week, then that is a
big bummer
moment ...

And on the Google account level, you mentioned that TOTP works. I think I
will use
that as my 2FA for the overall account, since I can run it on Android
(FreeOTP+),
my laptop (oathtool), and the server (oathtool).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20220618/9cfbff2b/attachment.htm>


More information about the kwlug-disc mailing list