6.7 When Google and Office 365 Systems Require an App Password

NOTE:The explanations in this and other sections use the general term Username/Password Authentication to refer to the following authentication methods: Google IMAP, Exchange Authentication, GroupWise LDAP, GroupWise SOAP, and Retain Offline Authentication.

When the following conditions are both met, Google and Office 365 require their users to enter an assigned App Password rather than the password associated with their email accounts.

  • The Google or Office 365 systems provide Two-Factor Authentication (2FA) support through OpenID Connect.

  • Users choose to authenticate by entering a username and password rather than by clicking their respective Login button.

    In other words, GSuite users request authentication through Google IMAP and Office 365 users request authentication through Exchange Authentication, both of which are username/password authentication systems.

Example 1

  1. Rather than clicking the Login with Office 365 button in the Retain Login dialog, an Office 365 user enters a username and password.

  2. Because the user’s account has no Authentication Method Restrictions, Retain seeks confirmation from the Office 365 system through the Exchange Authentication method, generally illustrated in Figure 6-1.

  3. If the user enters its assigned App Password, the request succeeds, the App Password is cached for the User Account, and so on as illustrated.

    On the other hand, if the user enters its email account password (or anything other than the App Password), the request fails.

Example 2

A Google back-end email system is configured to provide Two-factor Authentication (2FA) through OpenID Connect.

However, the Retain Administrator has not enabled Retain to support OpenID Connect on the Google system. This leads to the following scenario.

  1. The Login with Google button doesn’t display in the Retain Login dialog.

  2. Therefore, the user must use Username/Password (Google IMAP) authentication to access Retain.

  3. Because the Google system provides 2FA through OpenID Connect, Google IMAP only accepts an assigned App Password.

  4. If the user knows about the App Password requirement and enters that, it can access Retain as illustrated in Figure 6-1.

    On the other hand, if the user enters an incorrect password (including the one that it uses to access its GSuite account), the request fails.

IMPORTANT:If you want your Office 365 or GSuite users to only authenticate through their respective email services, consider restricting their Authentication Methods to Microsoft OpenID Connect Exclusive or Google OpenID Connect Exclusive as detailed in the Retain 4.10: Configuration and Administration guide.

If you choose not to restrict their authentication methods for whatever reason, they can choose to enter a username and password rather than clicking the appropriate Login button.

As explained in the Examples above, if their back-end systems provide Two-factor Authentication (2FA) through OpenID Connect, they need to enter their assigned App Password rather than the one they normally use.

You should inform them of the App Password requirement because the only system feedback they will receive is that the Login attempt failed.