Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: Google Mail Blocking Logins  (Read 2287 times)

aesmith

  • Reg Member
  • ***
  • Posts: 921
Google Mail Blocking Logins
« on: April 15, 2019, 02:51:14 PM »

Hi,

A family member has an issue with Gmail, where it keeps blocking her applications or devices from connecting to the account. She sometimes gets a message from Google saying that access has been blocked, but it seems like sometimes under her account it lists the access attempts that it's blocked, but sometimes block is just listed as "Suspicious sign-in attempt prevented" with no apparent way of permitting.   Last night her Ipad, Iphone and Thunderbird email client were all locked out as "suspicious", even though they've been in regular use even during that day.  It was quite a business getting that lot unblocked since all normal lines of communications were blocked.

It seems to be triggered by the devices losing Internet connection, for example if the router is rebooted, then when they reconnect Google finds them "suspicious".

Only her personal account is affected.  Mine isn't and neither is the Gmail account she has for an association even though that's on the exact same devices.

Any ideas as to why this keeps happening, and is there any way to tell Google to permit ANY connection that has the correct password?

Thanks, Tony S
Logged

gt94sss2

  • Reg Member
  • ***
  • Posts: 929
Re: Google Mail Blocking Logins
« Reply #1 on: April 15, 2019, 03:20:13 PM »

I wonder if enabling two factor authentication would help reassure Google that the logins were legitimate.
Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 4400
Re: Google Mail Blocking Logins
« Reply #2 on: April 15, 2019, 05:23:45 PM »

I suppose there’s no possibility that her account really has been hacked or phished?

I think for example that an email apparently from Google notifying of suspicious activity would, in itself, quite probably be a phishing scam...

I’d second the suggestion for  two factor authentication, if not already in use.
Logged

aesmith

  • Reg Member
  • ***
  • Posts: 921
Re: Google Mail Blocking Logins
« Reply #3 on: April 15, 2019, 05:54:36 PM »

I suppose there’s no possibility that her account really has been hacked or phished?
The Google account log shows the blocked sign in attempts, and these correspond to her attempts to access her email.  Strangely the devices are just called "Unknown Device" when they're blocked, but then when permitted in they're identified as Iphone, Ipad etc.   IP addresses are correct, I can see she was blocked twice from our home yesterday and on the 11th, and once from another family home last week. 

Quote
I think for example that an email apparently from Google notifying of suspicious activity would, in itself, quite probably be a phishing scam...
The Google emails go to the email account that she has set as a recovery option for her main Gmail, not to the account itself, so as a scam they sender would need to know the identities of those two accounts.  However it's clearly sensible not to follow the link in the email but to log into the account via a web browser instead.

Quote
I’d second the suggestion for  two factor authentication, if not already in use.
How does that work with phone or Ipad, or with any email client for that matter?   I can't see it being very practical if it kicks in every time a mobile device loses then re-establishes network connectivity, or moves from one network to another.  However I've not tried to see what happens.
Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 4400
Re: Google Mail Blocking Logins
« Reply #4 on: April 15, 2019, 06:57:27 PM »

Obviously, with 2SV you can sign in on any browser, verified by a text message.  You configure a list of different phones, including landlines if desired.   Then when trying to log in, you choose which one should receive the message.

Once you have set up 2sv, you can configure “App specific passwords”.  These are strong machine generated passwords, that provide access to restricted parts of the google account, without exchanging text messages. 

For example, I have a script that runs daily on a linux box, backing up my google mail accounts.   To make that work, and allow it to connect without receiving  a text message, I created another app specific password, solely used by the script.  It also means the linux box does not need to “know” my personal google password, so cannot leak it.

For a while I used thunderbird mail on my iMac, and that too had its own password.  If there is ever a concern that an App specific password has been compromised, for example if my linux box had been stolen by burglars, I can revoke that one password without affecting anything else.

Using the native Apple mail app in modern iOS devices you don’t even need App specific passwords.   They are able to validate that the physical device in your hands provides the second verification step, I honestly can’t remember the details.
Logged

aesmith

  • Reg Member
  • ***
  • Posts: 921
Re: Google Mail Blocking Logins
« Reply #5 on: April 16, 2019, 10:58:42 AM »

That's great thanks.  I think what I'll do is set this up for one of my test Gmail accounts and go through it all before doing the same for her.  It also occurred to me that her recovery email isn't too clever as it ends up in the same mailbox.  That would be an easy first step irrespective of the two factor.

Quick question, does the fact that she has two Apple devices using the built-in mail program cause any issues with app specific passwords?   If I remember rightly when I added her second Gmail account onto the phone it automatically appeared on the Ipad as well, so clearly at some level they're seen as the same device.
Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 4400
Re: Google Mail Blocking Logins
« Reply #6 on: April 16, 2019, 12:52:26 PM »

Quick question, does the fact that she has two Apple devices using the built-in mail program cause any issues with app specific passwords?   If I remember rightly when I added her second Gmail account onto the phone it automatically appeared on the Ipad as well, so clearly at some level they're seen as the same device.

I have an iMac, iPhone and iPad, all synced to the same (*see note) gmail accounts.  Each device can see the other's sent/received etc, they can even see one another's 'drafts'.   I don't remember it causing any problems, other than a slight moment of panic when I activated mail on a new iPhone post iOS 8 and realised it no longer needed App specific passwords.  Panic: had I accidentally turned it all off, or worse, had a sinister attacker turned it off?  But no, I did convince myself that I understood it at the time, and concluded all was good.   Unfortunately that knowledge is now filed under "things I have forgotten", and I can't seem to find it anywhere online.    Google have various pages that basically say it "just works" for iOS native Mail without explaining how, I guess we just have to trust them.  For example https://support.google.com/mail/answer/185833?hl=en

Quote
Note: If you have iOS 8.3 or greater on your iPhone or OSX 10.10.3 or greater on your Mac, you will no longer have to use App passwords to use 2-Step Verification when using the Gmail or any Google branded Apps from iTunes. Using the Google option on the native iOS mail client also does not require App passwords.

*Note: Worth confessing the accounts I refer to are actually accounts hosted by Google Apps that I picked up when it was Free (precursor of the rather expensive 'G Suite').  To the best of my knowledge, as far as email is concerned, Google Apps Mail is just a dressing around gmail, allowing me use my own domain names instead of @gmail.com.  I have never tried it with a bog standard @gmail.com account, but I'm pretty sure behaviour is exactly the same as applied to this thread.
Logged

aesmith

  • Reg Member
  • ***
  • Posts: 921
Re: Google Mail Blocking Logins
« Reply #7 on: April 16, 2019, 01:38:18 PM »

Cheers, and you've reminded me that my personal Gmail account is also in fact Google Apps with my own domain (also dating back to when it was free), so that's a difference between my account and hers.    My test account that I will test first is Gmail.
Logged

aesmith

  • Reg Member
  • ***
  • Posts: 921
Re: Google Mail Blocking Logins
« Reply #8 on: September 20, 2019, 03:36:59 PM »

I've only just got around to looking at this, after she had another alert yesterday.  And I must admit I'd forgotten that I'd started this thread. 

So testing with my dummy account the first thing I found is that Thunderbird really doesn't want to let you edit passwords, they're well hidden.  What it really wants to do is connect to Gmail as a browser, let you login and remember the password that you used.   Second thing I found was that even in the well hidden dialogue box to edit email passwords the Google App Password doesn't work, either entered as displayed with spaces between the groups or as a single 16 character string.   On the other hand if I humour it and let it login via the web page, with the two factor verification, it seems to hang onto it's authentication.   It's certainly persistent after starting and stopping Thunderbird quite a few times.

Similar situation really with the Iphone, except in that case it seems simply impossible to edit passwords for email accounts.  They don't appear anywhere.  And again going through that web login and verification it appears to have generated a persistent authorisation of some sort.  I've not tested that after a shutdown yet.

Any comments?   I want to get this fairly bombproof before I inflict it on the missus.  On the other hand it is concerning to keep receiving these alerts implying that "someone" may be trying to login with her password so I don't want to just get in the habit of blindly ignoring those.
Logged

Postal

  • Member
  • **
  • Posts: 31
Re: Google Mail Blocking Logins
« Reply #9 on: September 20, 2019, 04:23:07 PM »

I've only just got around to looking at this, after she had another alert yesterday.  And I must admit I'd forgotten that I'd started this thread. 

So testing with my dummy account the first thing I found is that Thunderbird really doesn't want to let you edit passwords, they're well hidden.  What it really wants to do is connect to Gmail as a browser, let you login and remember the password that you used.   Second thing I found was that even in the well hidden dialogue box to edit email passwords the Google App Password doesn't work, either entered as displayed with spaces between the groups or as a single 16 character string.   On the other hand if I humour it and let it login via the web page, with the two factor verification, it seems to hang onto it's authentication.   It's certainly persistent after starting and stopping Thunderbird quite a few times.

Similar situation really with the Iphone, except in that case it seems simply impossible to edit passwords for email accounts.  They don't appear anywhere.  And again going through that web login and verification it appears to have generated a persistent authorisation of some sort.  I've not tested that after a shutdown yet.

Any comments?   I want to get this fairly bombproof before I inflict it on the missus.  On the other hand it is concerning to keep receiving these alerts implying that "someone" may be trying to login with her password so I don't want to just get in the habit of blindly ignoring those.

If I've understood your problem correctly, have a look at the Mozilla Support Forum (https://support.mozilla.org/en-US/questions/1201406).  There is a conflict between what Google thinks is secure and what Thunderbird thinks is secure.  If you are happy that TBird is OK after reading the link, you need to edit your settings in Google as suggested.  I have been connecting to GMail through Thunderbird with the altered settings ever since the problem first appeared and have had no untoward events.
Logged

sevenlayermuddle

  • Helpful
  • Kitizen
  • *
  • Posts: 4400
Re: Google Mail Blocking Logins
« Reply #10 on: September 20, 2019, 04:30:18 PM »

If I've understood your problem correctly, have a look at the Mozilla Support Forum (https://support.mozilla.org/en-US/questions/1201406).  There is a conflict between what Google thinks is secure and what Thunderbird thinks is secure.  If you are happy that TBird is OK after reading the link, you need to edit your settings in Google as suggested.  I have been connecting to GMail through Thunderbird with the altered settings ever since the problem first appeared and have had no untoward events.

I composed the following before reading Postal’s helpful link, but sending anyway as I don’t think it contradicts (quite the opposite)....

....I used Thunderbird on my Mac Mini for google mail, that worked well with nice and easy App specific passwords (so no 2sv) and I don’t remember it being too difficult.   Unfortunately I stopped using that set up two years ago when I upgraded to a new iMac so, in that time, either Google or Mozilla may have made it more awkward.

iOS mail set up for Google is remarkably painless these days, verging on too good to be true.   It just asks for the main google account password at account setup, then works forever more on that device, with no need for 2sv codes.    Istr reading that Google and Apple had to co-operate in some way to make that work securely, and still can’t remember exactly how it does work.   I do feel a bit uneasy about having ‘lost’ the App specific password control, but despite their many faults I personally think both Google and Apple can be trusted in their judgement of what makes good security.

It is very rare that I login to Google via a browser or any App other than Mail but when I do, I tend to get alerts emails telling me that I have done so (or failed in doing so).
Logged

aesmith

  • Reg Member
  • ***
  • Posts: 921
Re: Google Mail Blocking Logins
« Reply #11 on: September 23, 2019, 08:25:00 AM »

I think I've got to the bottom of it now.  It seems that Thunderbird now defaults to using "Oauth2" authentication instead of stored passwords, if you select Gmail as your email type.  So far as I understand it that means a one-off login with the 2-step verification, then generating some sort of key or token that is used for subsequent connections.  My initial test installation is working that way.

Just now I created a separate Thunderbird install (I love portable apps) and set it up manually as a plain IMAP.   In this case the App Password worked as expected, eventually because there were a few complaints from Thunderbird before it settled down. 

With 2-step verification enabled it appears the "less secure apps" option is no longer available, with the use of App Passwords taking it's place.

See screenshots for the two apparently working configurations.
Logged
 

anything