Google is pushing 2SV (2-Step Verification, not to be confused with 2FA – they aren’t the same thing!) and starting from November 1, 2021 it will be mandatory for all YouTube Creators who monetize their channel(s) and are part of the YouTube Partner Program (YPP). They are the first group of Google account holders that is affected by this change, and we can expect more in the upcoming years.
What does this mean for 3rd party apps like Microsoft Outlook, Mozilla Thunderbird, other Email clients, Contacts, Calendars, and other 3rd party apps by independent developers? Should you stop using them and switch exclusively to Google products?
First things first: let’s clear up the confusion and get straight with the terminology!
2SV (2-Step Verification / Two Step Verification)
What is 2SV?
2SV is a second layer of security when you sign-in (login) into your account, e.g. a Google Account, Gmail, YouTube, Microsoft Outlook, Amazon AWS, or some other service.
What this means is that username (and/or email) and password are no longer enough to complete the login procedure, and you must add an additional independent way of verification that it is really you who tries to access a particular service.
The most common example of 2SV is by adding your cell phone number in order to receive a secret code via SMS message or automated phone call that you must enter AFTER you submit your correct username/email and password combination.
This is why it is called “2SV” — because it uses two independent connections, devices and apps to verify true account holder.
What if you do not have a cell phone or you simply do not wish to submit one?
This depends on the company that provides and enforces 2SV service, but usually you can add a secondary email address as a backup, which does not belong to the same company / domain. For example: suppose that you have 2SV enabled for your Google / Gmail account, but in order to set it up you must add another email from Microsoft, Yahoo, ProtonMail or whatever 3rd party / independent company email you use. This way, instead of receiving SMS message on your phone, you will receive a secret code on your secondary email account, which is required to complete signing in process and gain access to your account.
What are the benefits of 2SV?
If your original password becomes compromised, the perpetrator still won’t be able to access your account, even if it knows your username and password, because a new device must be authorized first using a secret code sent to your phone or other email account!
2SV is required when you sign into your account and try to modify sensitive information, for example, when you try to sign in to your Google account, change phone number or recovery email address.
What are the downsides of 2SV?
Apps that do not support 2SV may be left “out of the loop” and locked out. Thankfully, Google provides support (for the time being) for such apps and scenarios, so you can still continue using them.
Another downside is the fact that 2SV is essentially just another secret code / password user needs to use for verification, and even that second method may be compromised (e.g. your phone gets stolen, access to all your emails become compromised at the same time etc.). In such cases 2SV protection is useless, unfortunately.
User must be aware of the risks involved and be careful where it leaves its data, which services and companies it trusts, but sometimes things may get out of control (e.g. virus infection, malware attack, phishing etc.), rendering even the best 2SV system innefective.
2FA (2-Factor Authentication / Two Factor Authentication)
What is 2FA?
2FA differs from 2SV in such a way that instead of receiving another secret code (which is essentially just another password) by another email account or phone (which both can be compromised as well!), you must provide some unique method that only you can posses or have – for example, a fingerprint scan, an iris scan, DNA sequence, a secret USB dongle key etc. 2FA authentication is required each time you try to access your account.
What are the benefits and downsides of 2FA?
Even this security method, which is much more secure than 2SV, can be compromised, and you cannot change your fingerprint or iris patterns later.
Iris patterns change in our eyes over time as new studies confirm, making iris scans over long periods of time unreliable verification method. Same holds true for fingerprints, damages to our skin and organs can affect this method, as well.
USB dongles can become lost, making the verification later impossible, unless you have another copy. Data can expire or become corrupted, controllers that act as an interface between flash memory and communication device (phone, tablet, computer) can become damaged, as well, rendering USB key practically non-functional, and so on.
But, still, in terms of security, it is considered more secure than 2SV, because under “normal circumstances” it is generally much harder for an enemy to obtain and copy them (but their digital representation is a liability, thus not impossible).
Google Account Two Step Verification – How To Enable Access To Microsoft Outlook, Mozilla Thunderbird & 3rd Party Email Apps
Assuming that you already enabled 2SV in your Google Account you have by now already discovered that your Outlook, Thunderbird or other email apps stopped working, prompting you to enter “new” password — which you did not change! What can you do to grant access or whitelist those apps in order to keep using them at your home or office?
How To Enable Outlook, Thunderbird and other Email apps to access Google 2SV secured accounts
- Login to your Google Account at myaccount.google.com
- Go to Security section
- Scroll to Signing in to Google section
- Open App passwords section
- Generate a password for Email / Contacts / Calendar / Other app you wish to use (be careful to select proper app device type, otherwise it will not work!)
- Copy generated code and enter it as a replacement password in that app!
That’s it! Once you generate an app password, you must use that code instead of your regular Google (Gmail) account password in your 3rd party app. This is the way you can grant access to your Outlook, Thunderbird, Email or any other email app.
You probably asked yourself by now what is the point with all this? We replaced one password with another onw and now what?
Well, the whole point was to protect your original Google account, remember? This way, if your email app or some other 3rd party service gets compromised, the perpetrator still won’t automatically gain access to your main Google (Gmail) account!
At any given time you can revoke access to specific apps simply by deleting the generated code(s) in App passwords section.
This method does not always ask for secondary authentication, and once you authorize an app with a special access code (or use native apps from service providers such as Gmail by Google) you won’t be bothered again until you change your data or suspicious activity is detected.