Closed Bug 1740921 Opened 3 years ago Closed 3 years ago

Thunderbird is not recognizing switch to 2FA on Gmail

Categories

(Thunderbird :: Untriaged, defect)

Product:
Thunderbird
Component:
Untriaged
Version:
Thunderbird 91
Platform:
Desktop
Linux
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: michal.dybczak, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0

Steps to reproduce:

Switched Gmail to 2FA.

Actual results:

Thunderbird shows error: couldn't verify the password.

Once 2FA is disabled, password is again correctly accepted and Gmail works. With 2FA turned on, again the password is not accepted and Gmail is not working.

Expected results:

Thunderbird should recognize the switch to 2FA and trigger the proper Gmail/Google window to authenticate or configure app to work with 2FA.

Additionally, there should be some mail settings to set 2FA for Gmail account or re-trigger authentication window.

Currently, setting 2FA on existing Gmail stops Thunderbird from working with that Gmail account, as if there was no 2FA support in Thunderbird for 2FA.

Additional data:

Thunderbird, version 91.3

Operating System: Manjaro Linux
KDE Plasma Version: 5.23.2
KDE Frameworks Version: 5.87.0
Qt Version: 5.15.2
Kernel Version: 5.14.17-1-MANJARO (64-bit)
Graphics Platform: X11
Processors: 8 × Intel® Core™ i7-6700HQ CPU @ 2.60GHz
Memory: 7.6 GiB of RAM
Graphics Processor: Mesa Intel® HD Graphics 530

Thunderbird compiled with opensuse/ubuntu patch for appmenu in Plasma.

OS: Unspecified → Linux
Hardware: Unspecified → Desktop

It turned out that when I manually set authentication method to QAuth2 for SMPT and IMAP manually, it triggered properly the Gmail authentication window. After following the Google's setup, Thunderbird now correctly syncs with Gmai.

So the issue is that Thunderbird is not recognizing the switch and doesn't offer to switch to OAuth2. There should be some window pop-up:

"Thunderbird has detected that this email account is protected with two-factor authentication (OAuth2). Would you like to update the account's server authentication method to OAuth2?"

The lack of such mechanism makes Thunderbird unfriendly for new technologies and new users, who may not know how to set it up manually.

So you had it previously set to use app password? For 2FA yes you need OAuth2.

Thunderbird isn't told in any way WHY the password is not accepted, so unfortunately we can't do anything about this.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → INVALID

OK, so the one thing to do is to publish GOOD articles, how to connect to Gmail with 2FA. All current sites refer to ONLY ONE SITUATION -> A NEW EMAIL ACCOUNT SETUP.

I tried looking for the info and got ZERO HELPFUL INFO. And all it took is to add info what to set after changing to 2FA on Gmail, if you already have previously working account.

This is an example of top results on this query:

https://www.lifewire.com/gmail-access-thunderbird-1173150

Seeing articles like that is super frustrating. I sifted through many sites and got nothing. Only after posting the issue on Manjaro forum, I got on-point help. This isn't a good experience.

https://forum.manjaro.org/t/thunderbird-and-gmail-with-two-factor-authentication/89789/6

Or maybe a single, short article "How to set up an email in Thunderbird with two-factor authentication" or something like that on support pages or whatever tech-news portals (that have better SEO then thunderbird support sites), so it would be findable.

This is really needed.

Thanks

Ah, also UI error could be improved.

Currently, there is just plain info: the password is wrong and gives us a box to input a new password.

Why not add another line:

"Provide a new password or check IMAP and SMTP authentication settings if password is correct but still not accepted."

While in account settings, give info that OAuth2 is used for 2FA.

So all in all, maybe you can't do anything to detect the authentication method, but you can:

  • educate users (documentation, articles)
  • improve UI messages, to guide users to solution auto-discovery.

Please, send this info as feedback to proper persons, to review or brainstorm for improvements on this area.

Thank you

Sorry to post so much, but there is no EDIT button.

To give you background, because it's important:

Google emailed me that on this and this date, YOUR ACCOUNT WILL SWITCH TO 2FA. They didn't give me a choice, they just told me they will do it. So when this day came, my Gmail stopped working in Thunderbird and that started this whole situation.

I learned, that I can turn off 2FA afterwards, which is good, but the may phase out non 2FA eventually. However, the point is, Google will be doing it across other Gmail accounts, so sooner or later ALL GMAIL USERS WILL BE SWITCHED TO 2FA BY GOOGLE. Imagine that all the Thunderbird users who have Gmail will face this issue sooner or later. That is why this topic is significant.

So I urge you to forward this issue to proper people.

Thank you again.

I'm not sure what you're asking. All you need to do to connect to your google account in Thunderbird is open the account wizard (File | New | Existing Mail Account...), enter your email and go. It will request what's needed.

But I'm not talking about new setup. That is the whole point. Existing Gmail/Thunderbird users are being switched to 2FA and the result is password error on Thunderbird part plus no helpful info on the Net, to deal with it.

Asking to delete the entire Gmail account and set it anew, to trigger the wizard, is pointless, especially if the solution is SIMPLE IF YOU KNOW IT. If you don't know it, it becomes a huge problem. OAuth2 -> because this is so "friendly and self-descriptive name"... This is how it is named, we can't change it, but we can make it easier to explain when do you use it.

In the bigger scheme, it's not just Gmail. More and more accounts will require or suggest 2FA. Having this support in the Thunderbird's backed is not enough, because how a casual user will know where and what to set for 2FA? Of course, you can't ensure that it will be clear for everybody, but at least you can improve UI friendliness by self-discovery proper settings. And outside information campaign is also a good thing.

Imagine: Thunderbird pro-tip for more secure accounts!

If your email provider allows for 2FA, enable it and simply change password's authentication method in SMTP and IMAP settings here and here. Voila! See how powerful and secure can be Thunderbird!

So not only you can provide solutions for increasing issue (more and more 2FA email accounts), but you can promote Thunderbird on various sites. Tech authors are constantly on lookup for such simple articles, which would increase their SEO ratings. This is content marketing, good for them, good for you.

Again, if you are not dealing with those kinds of things, forward it to someone who do, but some small UI adjustment would still be a good thing as well.

Thank you

But it's set up by default to use OAuth2, so 2FA. You only get (got!) in trouble because you we're not using the defaults.
My gmail was recently upgraded to 2FA, and I didn't get any problems with the email access through google.

Look, I'm using this Gmail account for OVER 10 YEARS!!! The last I configured it was on a very old Thunderbird version, years from now on.
Also, I always set up Gmail (like most of other accounts) by the automatic mechanism (detect settings), so I got what Thunderbird submitted.

Assuming that all Gmail accounts are fresh and set anew is flawed. There are many users like me, who are using Thunderbird faithfully since years and there was no 2FA in earlier versions. Settings haven't changed automatically on app update, so it doesn't matter if it's a default setting now.

You need to log in before you can comment on or make changes to this bug.