Cannot login with U2F on google on one account, others work, web login works on both
I can't login on one email address to my gmail via thunderbird because the key seems to be unrecognized whereas when I log in to the same account using web browser it works effortlessly. Moreover installing a new instance of thunderbird or disabling Kaspersky Internet Security doesn't work either.
I can still login to the previously made google accounts via thunderbird on fresh install though I cannot do the same for the email in question.
Any hints?
The image I shared shows that the key is unrecognized by the website although it is. It displays for each of 3 keys added to this account. On website all of them works as well for other email accounts on gmail via thunderbird.
All Replies (17)
re :or disabling Kaspersky Internet Security doesn't work either. Best way to test is to restart computer in 'Safe Mode with Networking'. You will need to use ethernet cable between computer and router. Then start Thunderbird.
Was the problem gmail email address/mail account added to Thunderbird some time ago? Are passwords stored for all the gmail mail accounts?
- Menu app icon > Preferences > Privacy & security
- Under 'Passwords'
- Click on 'Saved Passwords'
- Click on 'Show Passwords'
Do you see the problem gmail account in the list ? If yes, right click on each relevant line and select 'Edit password' Completely clear the contents and carefully enter the correct app specific password. Click on Close.
Restart Thunderbird.
Is there any particular reason you are using the 2 step verification with app specific password ?
The method gmail prefers is OAuth2. Are you aware that Thunderbird is an up to date secure app and it offers 'Authentication Method: OAuth2' for both POP and IMAP gmail mail accounts ? That means it does not need to use 2 step/app password.
Is there a difference between the gmail accounts ? Does it work ok on gmail POP mail accounts but not on a gmail Imap account ?
Toad-Hall said
Is there a difference between the gmail accounts ? Does it work ok on gmail POP mail accounts but not on a gmail Imap account ?
All of the accounts have IMAP/POP turned off in the settings of gmail and work fine, enabling it doesn't help to resolve it.
I have no app specific passwords I just have email and password for my google account and the security key is not recognized. Please kindly read about U2F standard to understand the issue.
Removing the saved password doesn't work as mention one sentence above the password and email are correct the second factor on THUNDERBIRD specific causes the issue because the email is recognized and password triggers need for security key but the security key itself is not recognized where on web browser it IS recognized.
Moreover I use google advanced protection, disabling it and setting the security key doesn't solve the issue. I can log in to the account using thunderbird only when providing TOTP from the app without Advanced Protection nor security key, turning on Advanced Protection logs you off all devices.
I could use TOTP or no 2fa at all but that's not what's intended when I have the security keys and I can log in to other accounts with ease on the freshly installed thunderbird on VM but not for two other specific accounts...
Google prefer the use of Oauth in mail clients. So expect issues while they quietly encourage folk to comply.
Em but Thunderbird uses Oauth2 who's fault is it?
re :All of the accounts have IMAP/POP turned off in the settings of gmail
If you want to access via IMAP for that particular email address using an email client then in gmail webmail account > Settings > Forwarding Pop/Imap: You must switch Imap ON or gmail will not allow imap connection.
General Info as others may view this question. If using U2F then you need to switch on 2 step verification in gmail.
I've done some digging and located:
new FIDO U2F support So it should work.
In Bugzilla located:
Check: Menu app icon > Preferences > General Scroll to bottom OR use the search for 'Config Editor' Click on 'Config Editor' In top search type: u2f
- security.webauthn.u2f = true
You mention 2 other gmail accounts work using U2F - I presume. Q: Are they both set up using 'Authentication Method: Normal Password OR OAuth2 ?
When you try to set up new mail account with gmail, Thunderbird automatically looks for Imap using Authentication Method: OAuth2. So gmail is expecting the normal password entered and it sets up OAuth token stored in Thunderbird.
But if using 2fv with app generated password then you would set 'Authentication Method: Normal Password'. This time gmail expects the app generated password to be entered and not the normal password, so OAuth is not set up as it's using alternative.
In your case, gmail is expecting the U2F passcode - so suggest you try:
After entering name, email address and password Click on 'Configure Manually' - (not 'Continue') Enter all correct server settings and set 'Authentication Method to Normal Password' for both incoming and outgoing smtp then use the Retest.
Did this work ?
Well this is the screenshot for account on which I can login. It uses U2F Yubikey keys (3 registered the same as on the account I have no access) It has set up advanced protection and IMAP turned off and it works?? I even tried logining in through virtual machine on freshly installed thunderbird and it let me in. So I hardly presume that imap setting is even working in any kind of matter on this subject. The method is also OAuth2 not normal password and was set up with automatic configuration.
I can't set normal password when in advanced protection which forces to use u2f as a security key. Only Oauth2 passes. More over even after turning on IMAP the same issue happens that the key can't be verified.
It's not the problem with the connection. It's the problem with thunderbird not being able to verify my security key whereas a web browser or the phone can.
App generated passwords and less secure apps are turned off by default due to Advanced Protection so I don't know why you still pin point this idea when it's clearly disabled.
https://landing.google.com/advancedprotection/ https://support.google.com/accounts/answer/7539956?hl=en
And as you can see above Mozilla Thunderbird should be accepted without additional configuation and it was on older accounts.
The issue looks like this.
Athraithe ag znaczki654 ar
well I would say get rid of the usb key with the certificate and try it the normal way using oauth. My guess is your certificate is not acceptable. Sha1 for certificates have recently been disallowed for instance. But trying without any fancy stuff that is in all honesty probably used by very very few is the first step in any diagnostic process
It's not a usb key with the certificate but a security key using FIDO alliance's approved method of authentication.
If you want a step by step reproduce I can confirm this one will work:
1. Setup brand new email on Mobile Phone Gmail app (important use gmail on mobile) 2. Omit phone registration 3. Set Advanced Protection bypassing initializing 2fa at first 4. Don't add email/phone 5. Set 2 keys (mine were Yubikey 5 NANO as main and Yubikey 5 NFC as a backup)
Results: It works in browser/mobile, doesn't work in thunderbird Expected: Authentication works everywhere as it is a standard.
You can turn on / off IMAP Add additional email Disable advanced protection and leave 2fa with security keys The keys won't work either on thunderbird.
I suggest you try filing a bug. If one does not already exist.
Expected: Authentication works everywhere as it is a standard.
There are lots of standards not implemented in a lot of software. That is not a reasonable expectation in the real world.
It was implemented and works most of the times.
Ok I know when it works and when it doesn't.
Google previously had a way of implementing security keys without requiring a pin code. Now when it requires the pin code the security key is not recognizeable by Thunderbird for some reason. It is the same way how Facebook implemented it. Requiring a pin would suggest they want to move to FIDO2 soon which Thunderbird might not support. After an update of thunderbird problem persisted.
I've tried on the account that login in thunderbird worked do these steps and it reproduced the issue: 1. Go to the security page, 2. Unregister one key 3. Re-register it, type pin code 4. Try to login with the re-registered key (the one which had pin required) - failed - unrecognized security key 5. Try to login with the previously registered key (the one which didn't require pin at that time) - success - recognized key 6. The panel with allowing the access for thunderbird appears
Clearly it shows that Thunderbird has issues with a new way of authentication implemented by Google.
Athraithe ag znaczki654 ar
Moreover option for u2f is turned on, but I think they might be using FIDO2 standard therefore it is not compatible??