Question

4
Replies
358
Views
 Aaron Bretz (AaronB29)
BP3 Global Inc

BP3 Global Inc
US
AaronB29 Member since 2018 5 posts
BP3 Global Inc
Posted: July 17, 2018
Last activity: July 23, 2018
Posted: 17 Jul 2018 9:25 EDT
Last activity: 23 Jul 2018 1:45 EDT
Closed
Solved

Configuring Email Account with 2-Factor Auth

I am configuring an email account for an application that I am building. I would like to use an email account within my organization. However, our org has 2-factor auth enabled for our gmail accounts. When I enter the gmail credentials of the email account I want to use (w/2-factor enabled), I am unable to connect to the account. However, I created a dummy gmail account with 2-factor disabled and I am able to connect to the server successfully. How can I configure an email account within my application that requires 2-factor auth?

***Updated by moderator: Lochan to update platform capability***

Case Management Security
Moderation Team has archived post, This thread is closed to future replies. Content and links will no longer be updated. If you have the same/similar Question, please write a new Question.
Posted: 2 years ago
Posted: 19 Jul 2018 6:27 EDT
Thomas Thrien (tquadrat)
PEGA
Sr. Software Solutions Engineer
Pegasystems Inc.
DE

The client that you are using to connect to the mail box must support 2-factor authentication; this mean that it must somehow present you the UI for the second factor.


Obviously this is not possible for an email account that you use in the context of an application. If  the account that you use with an EmailListener would require 2-factor authentication, the second factor (that is usually dynamic) is requested each time the agent would start to retrieve emails and an admin has to pick his mobile, get the text message with the second factor, run to the server machine, connect keyboard and screen, type in the factor ... all before the grace period expires. This every 5 minutes (per node and listener), 24 hours a day, 7 days a week, the whole year on.


Therefore 2FA is not feasible for technical accounts, at least it cannot be implemented that easily, and it would require a special type/media for the second factor, as this has to be sent to the application in a secure way. Text messages or the usual tokens do not work, for obvious reasons.


The usual recommendation for technical accounts is to use really long passwords that are completely random. As no human has to type them, that's normally not a problem - only when some unauthorised staff get access to the location where it is stored.


But the whole thing may change in future ...