From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Tim Cross Newsgroups: gmane.emacs.devel Subject: Re: gmail+imap+smtp (oauth2) Date: Fri, 06 May 2022 10:54:44 +1000 Message-ID: <87wnezqxsy.fsf@gmail.com> References: <871qxbdulc.fsf@mat.ucm.es> <877d72nf3h.fsf@gmail.com> <87zgjx9upa.fsf@telefonica.net> <87zgjx5mek.fsf@gmail.com> <87v8ul9tho.fsf@telefonica.net> <87sfpnk66z.fsf@ditto.jhoto.spork.org> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="1682"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: mu4e 1.7.13; emacs 28.1.50 Cc: rms@gnu.org, =?utf-8?B?w4PCk3NjYXI=?= Fuentes To: "Brian Cully via Emacs development discussions." Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Fri May 06 03:02:21 2022 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1nmmMP-0000Ga-B4 for ged-emacs-devel@m.gmane-mx.org; Fri, 06 May 2022 03:02:21 +0200 Original-Received: from localhost ([::1]:55912 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1nmmMO-0007Cx-3A for ged-emacs-devel@m.gmane-mx.org; Thu, 05 May 2022 21:02:20 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:54956) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1nmmLU-0006W5-MT for emacs-devel@gnu.org; Thu, 05 May 2022 21:01:24 -0400 Original-Received: from mail-pl1-x629.google.com ([2607:f8b0:4864:20::629]:40489) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1nmmLS-0005X2-Ul; Thu, 05 May 2022 21:01:24 -0400 Original-Received: by mail-pl1-x629.google.com with SMTP id i1so5946618plg.7; Thu, 05 May 2022 18:01:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=references:user-agent:from:to:cc:subject:date:in-reply-to :message-id:mime-version:content-transfer-encoding; bh=RT9Z0kILz5Sf0NLyBJ7XGW/3TF8M5o/nbsUGa6jxHqg=; b=APhjzHi5kgK3tR7zVpi7AiJnidHkIiwwGY27EYJ/GzmRLRZbPmwohiKwghv1GNLVZo S/si/G5XedSiFwIY+s4oT3Mdk5lhIs5AUvgnOABK2JejnK7BGs98TcjSW2cO5aUnxdvi SWC9kG5eZKTPAqado9e6mXRHprvMKWvS2ARXJyF+FQwygXGuu7DnDSQ05TVIjxuujJMt pQ83KDfE+Nap1Yg153Rbnogn0/7heT0EhYh5QVAof0FR0tTojKPVRHk5Bnht6Hz2QaQo ofMEKQghKtXiZN2FuqqhiYgkB3hSOKtRHsh288K4tLk9dCU5MA89QGTPtgsd9p3ptTUY S7rA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:references:user-agent:from:to:cc:subject:date :in-reply-to:message-id:mime-version:content-transfer-encoding; bh=RT9Z0kILz5Sf0NLyBJ7XGW/3TF8M5o/nbsUGa6jxHqg=; b=wNePuAT9IDxLb72yH3iK4AA69slUc1bPvDv4l5LSxgHd0ZI4hA389KiMjNmJBg7D4Q eRVbymU6zCd8krvJfir5OBI+YxE+ZbQ2vvN7NLnW6/WO6OpPkzqfQ0J4p6wDmCePwGwl RRAIpGbEJIcABqScXuJsP5UrfIdF2AXkkXCynfNf9S60uztKN6mLn6D8U2bKVNRewi0r rteqQFCK+QWfSmbzrxbYavFiLLN2mMkEdC6AtVrLXxa4CM1SgSyj7DL3GAvUdKTnEqXb b3/Ww266fU6VEn/CUVxMQqW6A9LYnCiWlgh3C3wD3F/HMDBGx9Bht9VS9asfntzLrPn8 4EVQ== X-Gm-Message-State: AOAM533NjrKesLpXCZLPiwLpPP1GEkhz6PFWdfsko+QrDslTDRS3LaCC 0SNq0GrA3WP6mp1hefe+jNU= X-Google-Smtp-Source: ABdhPJxxxp7NvDbCiFXlNsptqyKgmczl3uFyuoxdgca8KA+gaWnFpfggkutnCybZcrhQYq9PR9FWVQ== X-Received: by 2002:a17:90b:4b91:b0:1dc:3149:1749 with SMTP id lr17-20020a17090b4b9100b001dc31491749mr9411455pjb.46.1651798881163; Thu, 05 May 2022 18:01:21 -0700 (PDT) Original-Received: from dingbat (220-235-29-41.dyn.iinet.net.au. [220.235.29.41]) by smtp.gmail.com with ESMTPSA id q11-20020a63cc4b000000b003c511f54e55sm1985381pgi.28.2022.05.05.18.01.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 05 May 2022 18:01:20 -0700 (PDT) In-reply-to: <87sfpnk66z.fsf@ditto.jhoto.spork.org> Received-SPF: pass client-ip=2607:f8b0:4864:20::629; envelope-from=theophilusx@gmail.com; helo=mail-pl1-x629.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:289292 Archived-At: Brian Cully via "Emacs development discussions." writ= es: > Richard Stallman writes: > >> Does it have to be _your_ phone number, or can it be any phone >> that you can answer at the time of creating the app password? >> Will Google ever phone you again on the same number? >> >> Another question is, does setting up the app password require >> a computer running nonfree software? (For instance, a mobile phone.) >> Can you do this with a landline? > > It does not have to be your phone number, no. They will send an SMS to wh= atever > number you choose (so long as its not on a blacklist somewhere). You do n= ot need > to run non-free software, presuming you can receive SMS with non-free sof= tware > (there are services for such things). > > However, you have the choice of using TOTP for 2FA[1], in which case you = can use > any number of free applications to generate codes for you. If you use SMS= as > your 2FA, Google will send messages to you periodically as you attempt to= log in > to services (though only with your main password - not app passwords). On= ce > converted to TOTP, though, I do not believe Google will ever try to conta= ct you > again. I have set up Google accounts using burner numbers and converted t= hem to > TOTP without any issue over the years. However, there=E2=80=99s obviously= no guarantee > that Google will continue to allow this in the future. > > -bjc > > [1] There may be restrictions I=E2=80=99m not aware of when using TOTP, a= s I=E2=80=99d set mine > up a long time ago. You may, for instance, need to be able to receive SMS= in > order to do the initial TOTP setup. You definitely need to use SMS to do = initial > account setup. The SMS workflow is not Google's preferred 2FA. When Google first rolled out 2FA, SMS based codes were widely used and it was one of the techniques recommended by NIST. However, due to issues with number spoofing and social engineering of Telco service desks to redirect numbers etc, NIST now recommends against SMS based 2FA.=20 I'm not sure about whehter you still require SMS in initial account setup for Google. It has been too long since I moved my 2FA to use non-SMS based techniques. I do notice that when I do login to google from a new device/browser, the SMS option is still shown as one option, but it is not the default/preferred option, only a fallback one.=20 I do still wonder though - if your so concerned about privacy and google having your phone number, how you can be comfortable with them having your email data?=20