Brandon Long blong at
Wed Jun 13 04:36:34 UTC 2018

On Tue, Jun 12, 2018 at 8:32 PM Will Yardley <mutt-dev at>

> On Mon, Jun 11, 2018 at 03:12:45PM -0700, Brandon Long wrote:
> > Gmail supports RFC 7628 for using OAUTH with IMAP, and they really don't
> > like you using password based auth.  You can still enable "less secure
> > apps" and then generate an application specific password, but I figured
> it
> > was time to support it.
> Awesome! Just curious, given the recent thread about 2FA, can this (and
> does this) support 2 factor auth for IMAP as well?

Recent thread?

Generally speaking, OAUTHBEARER is not a two-factor authentication.  When
it comes to Google and GSuite, it doesn't require you to enable "less
secure apps" and it doesn't require an Application Specific Password (ASP)
when you have 2FA enabled on your account.  It works by requiring you to
login to Google (with 2FA if that's enabled), and getting a long lived
"refresh token".  It then exchanges that for a short lived "access token",
which is good for about one hour.  It's also "scoped" in that when you
request the refresh token, you're asking for access to specific resources,
in this case read/write access to your Gmail account.  It's also "scoped"
in the sense that it's tied to a specific application.

Other services may use it differently, for instance you may have a service
where you have to use 2FA to get a computer specific token, and then
exchange that token for an access token.

So, in some sense, it's kind of a more generic, more restricted, more
complicated, application specific password.  It does allow you to access
Google services if your GSuite admin doesn't let you enable "less secure
apps", since those things make it more secure than Google's implementation
of ASPs.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Mutt-dev mailing list