This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Lolu chungechunge lwabekwa kunqolobane. Uyacelwa ubuze umbuzo omusha uma udinga usizo.

Support for GMAIL 2-step verification and App Password

  • 11 uphendule
  • 1 inale nkinga
  • 1013 views
  • Igcine ukuphendulwa ngu aesmith

more options

Hi, Has anyone managed to get Thunderbird to work with a Gmail "App Password"? I've just enabled 2-step verification, generated an App Password for Thunderbird to use, and simply can't get it to work. I've gone into the password manager (Options / Security / Saved Passwords) and edited the password for both inbound and outbound. The Google App Password is a 16 character string displayed in groups of four, I've tried with or without the space between the groups.

All that Thunderbird does it to open a web page with Google login, and that page only accepts the basic Google password, with the 2 factor authentication.

Anyone got this to work and can point out the step I've missed?

Thanks, Tony S

Hi, Has anyone managed to get Thunderbird to work with a Gmail "App Password"? I've just enabled 2-step verification, generated an App Password for Thunderbird to use, and simply can't get it to work. I've gone into the password manager (Options / Security / Saved Passwords) and edited the password for both inbound and outbound. The Google App Password is a 16 character string displayed in groups of four, I've tried with or without the space between the groups. All that Thunderbird does it to open a web page with Google login, and that page only accepts the basic Google password, with the 2 factor authentication. Anyone got this to work and can point out the step I've missed? Thanks, Tony S

Isisombululo esikhethiwe

If you were creating a new imap gmail account then Thunderbird usually auto creates an imap account set up to use OAuth2.

Suggest you logon to webmail and remove the Two step authentication as you are no longer going to need it.

In Thunderbird If you have an account created already that is not using it, then you have to select it.

  • Right click on gmail imap mail account name in Folder Pane and select 'Settings'
  • select 'Server Settings'
  • Under 'Authentication Method' change to 'OAuth2'

then change the outgoing server info.

  • In left pane at the bottom select 'Outgoing server (SMTP)'
  • select the name of the gmail server
  • click on 'Edit'
  • Alter the Authentication Method to say 'OAuth2'
  • click on OK
  • click on OK

Restart Thunderbird. Gmail will then ask you to logon to confirm you really are you. Logon using normal password.

Gmail will then add a token into Thunderbird, stored in same place as saved passwords. From then onwards gmail will use that token instead of the normal password. You will not need to enter passwords.

Funda le mpendulo ngokuhambisana nalesi sihloko 👍 0

All Replies (11)

more options

most folks use oAth credentials rather than the rather inconvenient and cumbersome app password route.

I am assuming that the "open a web page with Google login" is an oauth login process, once completed a token is created that Thunderbird and Google use for a very long time. around six months I understand.

more options

Thanks. I need to look into oAth. To put this in context my missus has continual problems with her Gmail account being blocked as suspected unauthorised access. You maybe know what I mean, "Sign-in attempt was blocked. Someone just used your password to try to sign in to your account from a non-Google app.".

Google suggested 2-step and App Passwords as the solution, although they couldn't really explain why the problem kept recurring.

oAth may do the trick, if it only needs to be refreshed every six months or so that might be acceptable. Do you happen to know if it can be made to work with an iPhone as well?

On the otherhand App Passwords is what we use with Office 365 for some customers and it seems to work well enough in that context.

Thanks, Tony S

more options

Authentication Method: OAuth2 This works with Imap accounts.

more options

Cheers. Do I have to specifically tell Thunderbird it's OAuth2, or does it work it out for itself?

more options

Isisombululo Esikhethiwe

If you were creating a new imap gmail account then Thunderbird usually auto creates an imap account set up to use OAuth2.

Suggest you logon to webmail and remove the Two step authentication as you are no longer going to need it.

In Thunderbird If you have an account created already that is not using it, then you have to select it.

  • Right click on gmail imap mail account name in Folder Pane and select 'Settings'
  • select 'Server Settings'
  • Under 'Authentication Method' change to 'OAuth2'

then change the outgoing server info.

  • In left pane at the bottom select 'Outgoing server (SMTP)'
  • select the name of the gmail server
  • click on 'Edit'
  • Alter the Authentication Method to say 'OAuth2'
  • click on OK
  • click on OK

Restart Thunderbird. Gmail will then ask you to logon to confirm you really are you. Logon using normal password.

Gmail will then add a token into Thunderbird, stored in same place as saved passwords. From then onwards gmail will use that token instead of the normal password. You will not need to enter passwords.

more options

Thanks a million. I think it's starting to work now. I just fired up Thunderbird from cold and looked at the account properties, Authentication Method has changed to OAuth2 both under Server Settings and Outgoing SMTP.

Would it be reasonable to conclude that setting 2-step has forced this change, while the process you've described would set it manually?

more options

The setting toad told you to change made the change. It had nothing to do with Google.

BTW you might want to look at your anti virus product. Some offer a VPN service that they will tell you makes everything so much more secure. but VPN's have a habit of masking your location. Very popular with some folks that like to watch US TV shows when they are not in the US etc. Services like google that are looking for weird changes in location end up blocking their users, because they are logging in from all over the world. Australia one minute, the US a minute later etc.

more options

Sorry I maybe wasn't clear. When I checked I found it was already set to OAuth2, I didn't need to make the change. Now I think about it maybe that's Thunderbird's default now for Gmail, because when I setup the account on that installation I selected Gmail specifically.

Just for my research I'll try another installation specifying generic IMAP and see if the App Password works in that context.

more options

To complete the picture I did just that, on a new Thunderbird install I set up the same Gmail account but manually configuring it as a generic IMAP. In that context the App Password works.

The only further think to add is that I'm not sure about the suggestion to remove the 2-step verification. The whole point here is to make sure that nobody can access the account simply by knowing the password.

more options

If you are using 'Authentication Method: OAuth2', then you would not need the app specific password as gmail would use a token it applies and it uses token (a load of numbers and letters like a complicated password) instead of normal password. In this case you need to stop the two step verification.

If using 'Authentication Method: Normal Password' and you have set up to use two step verification, then you would use the app specific password instead of Normal Password. In this case you would need to keep the two step verification.

more options

Sorry to harp on but I still don't see why two step should be disabled when using OAuth2. I can see why from one point of view it's not needed, but if the original point is to prevent access to the account solely by password, then surely it's needed for that reason even if Oauth2 doesn't require it.