[Imap-protocol] Seeking clarity on Gmail "Access for less secure apps" setting for non XOAuth2 access

Brandon Long blong at google.com
Fri Sep 26 09:09:58 PDT 2014

Anything that uses the user's password is generally considered 'less

Basically, with the high prevalence of password reuse and
compromise/exfiltration/phishing/malware/etc, passwords are no longer a
sufficient method of proving account ownership. On the web, with a Turing
machine available to us and a number of signals and the fact that the user
is actually sitting physical in front of a computer, we can mostly ensure
auth, but for IMAP which may be from a service or proxy and the prevalence
of smart phones which both travel and are often NAT'd across the country,
things are much more complicated.

So, yes, please use xoauth2 or the oauth-bearer when its available (we're
just waiting on the rfc to be published at this point).

And as good a time as any to remind folks that xoauth has been deprecated
for a while now and will cease to work next year. Migrate your users now.

XOAuth2 should be supported as long as oauth-bearer since its has only
minor differences being based on an earlier draft, the tokens are all the

On Sep 26, 2014 5:36 AM, "Rick Sanders" <rfs9999 at earthlink.net> wrote:

> Hi,


> With Gmail is XOAUTH2 the only login method that is not considered "less

> secure"?


> For some reason I got the impression that AUTHENTICATE PLAIN was not

> considered "less secure".


> Thanks

> -Rick



> --

> Rick Sanders

> rfs9999 at earthlink.net

> IMAP Tools http://www.athensfbc.com/imap-tools


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman13.u.washington.edu/pipermail/imap-protocol/attachments/20140926/d887bfe2/attachment.html>

More information about the Imap-protocol mailing list