Protocols behind "Access for Less Secure Apps" in Gmail Account Settings

hi EE experts

i just posted a new question here looking for a solution for Mavericks' Messages to access Google Talk using "use modern security standards".

basically this is an issue related to the "access for less secure apps" option in Gmail's account settings, which prevents the Messages app on OS X from signing on Google Talk. below is Google's explanation about the option.

Allowing less secure apps to access your account
https://support.google.com/accounts/answer/6010255?hl=en-GB

i am curious about the actual protocols used for the "modern security standards" and "less secure apps". could some EE experts provide more details about this?

thanks heaps
bbao
LVL 38
bbaoIT ConsultantAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
This article says Thunderbird will be Ok on the next release: https://support.mozilla.org/en-US/kb/thunderbird-and-gmail  This article http://googlesystem.blogspot.com/2014/07/more-secure-gmail-authentication.html says that "All Google products use OAuth 2.0".  And here's the site for OAuth 2.0: http://oauth.net/2/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bbaoIT ConsultantAuthor Commented:
thanks for sharing the useful links.

i tried this google search and found only a few unique results returned, and most them marked "missing: oauth". does it mean so far Apple is not natively OAuth-ready for OS X?
0
Dave BaldwinFixer of ProblemsCommented:
The only Apple items on the OAuth page were Objective C

    Cocoa
    iPhone and iPad
    iOS and Mac OS X (draft 10)

It is not clear what Apple is doing with or about OAuth.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

bbaoIT ConsultantAuthor Commented:
> Objective C

    Cocoa
    iPhone and iPad
    iOS and Mac OS X (draft 10)

i believe the above was from here, and the links all go to GitHub, which is a 3rd-party not Apple.

a bit confused. i believe the fact is that the built-in Mail app on iOS 7 and higher has NO problem to access Gmail without allowing Access for Less Secure Apps (not sure for Google Talk though), otherwise the complaints would sink Apple in an instant. do you think that means Apple already supports the protocol?

or, the protocol behind Gmail and Google Talk authentication is NOT OAuth?
0
Dave BaldwinFixer of ProblemsCommented:
Apple ignores that which they do not like.  I don't know about the rest of it.  I do know that Gmail refused a connection from a mail program on my computer with that message about "less secure apps".
0
bbaoIT ConsultantAuthor Commented:
>  I do know that Gmail refused a connection from a mail program on my computer with that message about "less secure apps".

me too, and for Messages on Google Talk.  :)
0
serialbandCommented:
If you're on an older OS X, you should probably upgrade to Yosemite.  There's quite a few security vulnerabilities that have been patched in the newer Yosemite.  Unless you're on older Intel Core Solo or PowerPC CPUs, you should be able to upgrade.

If you have specific software that can only work on one of the intermediate Lion, Mountain Lion or Mavericks, I suggest you update and put the older version in a VM, but remove any direct internet access to that VM.  You can install a separate partition and install OS X on it too.  Otherwise, you should mitigate your risks by not using Safari, Messages, Mail, or other internet connected Apple specific Apps and go to 3rd party Apps that do get patched.

Here are some suggestions:
Safari --> Chrome, Firefox, Opera, etc.
Mail --> Thunderbird, Outlook
Messages --> Adium, Pidgin, Colloguy, etc..
0
bbaoIT ConsultantAuthor Commented:
>  If you're on an older OS X, you should probably upgrade to Yosemite.

do you mean this is not an issue for Yosemite? i actually called Apple Support and a senior technician there confirmed he had the same issue with his Messages. forgot to ask it was on Mavericks or Yosemite...
0
serialbandCommented:
I just tried with Yosemite's (10.10.3) Messages with my Google account and it signed me in without issues or complaints.  I also sent a test message to another Google account and it worked just fine.
0
bbaoIT ConsultantAuthor Commented:
> I just tried with Yosemite's (10.10.3) Messages with my Google account and it signed me in without issues or complaints.

thanks heaps for your test. could you please confirm if all your Google accounts are set to "access for less secure apps" blocked, not allowed?
0
serialbandCommented:
I've never changed my security settings, but I just took a look and it seems to be set to on.  I've toggled it off to make sure.  I deleted the accounts from Messages last time after my test.  Since their page specifically mentions Thunderbird as one of the programs that don't work with Less Secure Access blocked, I tested it and it does indeed block Thunderbird.  Messages works.

I toggled it back on so that I could test mail in Thunderbird and got an automated email saying it's toggled on and I added my Google Talk account to Messages and it still works, so both settings work for Google Talk in Messages in Yosemite 10.10.3

So it's definitely not an issue for Messages in Yosemite 10.10.3.
0
bbaoIT ConsultantAuthor Commented:
thanks heaps again for your time and effort.

it seems Yosemite has been designed to use the "modern security standards" (in Google's wording) though their Apple Care support guys were not aware of this. i actually called Apple seeking for their official help and one of their senior guys confirmed he produced the SAME issue at their side but had no solution. i forgot to clarify which OS he used for the test. probably on Mavericks too?
what the hell are those "modern secuirty standards"? also what the hell are those less "modern secuirty standards" used for access to less secure apps? i just want to determine the particular protocols behind the scenes.
so basically does it mean there is NO hope for Messages if i do keep using Mavericks? i guess Mavericks is already on their roadmap to die once something post-Yosemite is available...
0
serialbandCommented:
Planned Obsolescence
0
bbaoIT ConsultantAuthor Commented:
> Planned Obsolescence

yeah, according to the experience on Apple.

> what the hell are those "modern secuirty standards"? also what the hell are those less "modern secuirty standards" used for access to less secure apps? i just want to determine the particular protocols behind the scenes.

again, any comments and suggestions on this, the key of the question? :-)
0
serialbandCommented:
I think DaveBaldwin answered that in the very first reply.  They use OAuth2.0.  I'll relink it here: http://oauth.net/2/

After reading through their about page (http://oauth.net/articles/authentication/), it seems to me that it allows better tracking for them and it's not necessarily just about security.  For many regular users it may be more secure, since they use insecure passwords in the first place.  Those of us that use longer complex passwords are less vulnerable now, but we'll need something more secure in the future too.

OAouth2.0 uses a token that gets saved to you computer, so Google doesn't have to keep verifying your 2nd factor authentication when you travel.  If you travel, Google will prompt you and complain that you're logging in from a different locale than your usual locale.  You'll have to provide some secondary authentication, and they usually use your cell phone for that.  It's quite obnoxious, but necessary for all those people that regularly create weak, easy to crack passwords.  It reduces that likelihood that their account is stolen by some remote person, but it does not preclude an attack by someone within the same locale as you, unless you always require that 2nd authentication factor.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Google Apps

From novice to tech pro — start learning today.