3

I recently implemented PHP code with IMAP for reading mails from a GMail account and further executing some command depending on the mail body. I got this to work after consulting the first answer from this link.

My questions are:

1) What does "allowing access to less secure apps" mean?

2) How do I make it secure?

Community
  • 1
Prathiba
  • 73
  • 5

2 Answers2

1

While there may be other security problems, a big one is that this authentication mechanism bypasses Google's 2-factor authentication. If you go to the https://www.google.com/settings/security/lesssecureapps page to enable Google 2FA while you have 2FA enabled on your Google account, Google displays this message:

This setting is not available for accounts with 2-Step Verification enabled. Such accounts require an application-specific password for less secure apps access. Learn more

This is because there is no way for the client application to accept the 2FA input and pass it to Google.

One of the advantages of protocols such as OpenID Connect is that entire authentication workflow is delegated to the authentication provider. So when an OpenID Connect enabled application wants to authenticate, it calls the authentication provider to display the login page. This allows the login workflow to be more complex than a simple username/password.

Neil Smithline
  • 14,621
  • 4
  • 38
  • 55
0

It's considered less secure because now there is another way for someone to intrude into your Google Account if the application isn't secure(that and it isn't YOU specifically accessing it).

Sadly because you put that script there, then there really isn't a way to make this secure without somehow forwarding the CAPTCHA and answering it every time. The reason for this is now they have no way to prove that the application accessing your account is not a bot, but an actual person. They also have no way of making sure that your application hasn't been hacked, replaced, injected into, intercepted, ETC, ETC. So yes, it is less secure without a CAPTCHA, and you can't make it more secure because it's not you.

EDIT: Now what you're doing isn't BAD, but be for warned this can open you up to possible attacks with people using this SMTP relay to try and brute force your account. As long as you know what you are doing, and the possible dangers of it, it's fine. Just take steps to keep yourself, your business, your other stuff... safe and secure.

Robert Mennell
  • 6,968
  • 1
  • 13
  • 38
  • Doesn't it bypass 2FA also? – Neil Smithline Nov 09 '15 at 21:10
  • Any alternate methods other than PHP/IMAP to access mails? Please don't tell me it can't be done... – Prathiba Nov 09 '15 at 21:32
  • @NeilSmithline a simple catch, but really the 2FA is always in place with gmail, whether it be through an app, key fob, or CAPTCHA. Besically they force you to provide that you're a human, not a bot with a timed code(CAPTCHAs are timed on Gmail) that is very hard/almost impossible for a bot to do reasonably. – Robert Mennell Nov 09 '15 at 21:48
  • @Thiba Honestly as long as the place the script is in is secure, and you're password is really good you don't have to worry (about much). It's just not AS secure. That's the big difference. What you're doing isn't bad per-se, but it's not what google wants you to do. If you really want to do this and keep yourself safe, put these emails into a special account and keep accessing it the same way, just keep the account separate from your personal account or any other sensitive accounts. If the account itself is sensitive, make sure to make it SUPER DUPER SECURE. – Robert Mennell Nov 09 '15 at 21:50
  • This is the first time I'm doing this :D so thank you for the answers. I think I'll encrypt the username and password and decrypt just before accessing, because as far as I understood, that's the max I can do :( – Prathiba Nov 09 '15 at 21:54
  • I'm confused Robert. CAPCHA is for detecting automation while 2fa is for security. – Neil Smithline Nov 09 '15 at 21:58
  • @NeilSmithline https://en.wikipedia.org/wiki/Multi-factor_authentication 2FA.MFA just means that beyond a user name and password, there is something else that is required to log in. A CAPTCHA adheres to this idea as it is something that is attached to the users session and that the user needs to solve. It is something a robot can't solve, so it's considered part of the user, has a timeout, and can be used in place of a password entirely. So it qualifies. – Robert Mennell Nov 09 '15 at 22:58
  • That's not the case Robert. The page you linked to defines 2fa as including more than one of something you know, have, and and are. CAPCHA isn't one of those. And Google defines how it's 2fa works and doesn't mention CAPCHA. – Neil Smithline Nov 10 '15 at 00:01
  • @NeilSmithline so what if I introduced a system that generated a code that can only be parsed by that user, requires timed entry, and is randomly generated for only that users login attempt to enter? Wouldn't that be MFA? Because that's what CAPTCHA systems are. You HAVE a CAPTCHA(for a limited amount of time). They are visual, audible, time delimited MFA codes that are generated. Sounds like MFA to me. At this point however we are arguing semantics. This is a better discussion for a discussion. I've gone ahead and created a chat. – Robert Mennell Nov 10 '15 at 00:26
  • But the question is about [Google authentication](https://www.google.com/landing/2step/) and CAPCHA is not part of their 2fa. – Neil Smithline Nov 10 '15 at 16:24
  • @NeilSmithline I'm pretty sure it's a "Completely Automated Public Test to tell Computer and Humans Apart" and confirming your identity all at the same time. – Robert Mennell Nov 10 '15 at 17:32