Using Google's "two factor authentication"

Paul Hinze paul.t.hinze at
Sat Apr 7 22:14:40 BST 2012

Ђорђе Тодоровић-- <postmanmiler at> on 2012-04-06 at 18:31:
> BTW, what is the purpose of having a "two factor auth" if the attacker only
> needs to get my offlineimap password.

You're right I think the implementation of "authorized application"
passwords does increase your surface area for attack. The ideal would be
if all applications that need access to your Google account could also
implement the ability to accept the second factor of authentication.
The password generation strategy that Google provides is really a
work-around for apps that don't support two-factor auth.

That being said - the application-specific passwords are definitely
better than just peppering your primary Google account credentials
everywhere.  The passwords you generate can be individually revoked at
any time, and the application passwords never allow access to log in to
Google proper, only IMAP/Caldav/XMPP/etc. connections.  So I think the idea
is that you can rotate the application-specific passwords as often as
you feel is necessary to protect your security.


More information about the OfflineIMAP-project mailing list