Apologies in advance for a baby-level question.
Yesterday Apple Mail on my iMac put an incoming email into the Junk folder. It seemed to be from an acquaintance, and I did check the header, but then very stupidly replied to it. (It was late in the evening…!). How worried should I be?
It’s a Gmail account and I guess for safety I should change the password. I can see how to do that in Gmail but the Apple Mail account shows only the address, not the password, so how would I update that? I really don’t want to lock myself out!
Apologies in advance for a baby-level question.
If you have 2-factor authentication turned on for your Gmail account, you probably don’t have anything to worry about. If not, I would log onto Gmail using a web browser and turn on 2FA. Then an attacker who only knows your Gmail password (unlikely in this case, based on your description of the situation) won’t be able to log onto your Google account.
Merely replying to an e-mail won’t give the sender access to your account. When you sent the reply, did you send any sensitive information? Account numbers? Passwords? Social Security numbers?
If you didn’t send any sensitive data, don’t worry about it. You may get more scam/spam mail in response to your reply, but if you just ignore/delete them, you should be fine.
If you did send sensitive information, then you should consider that information compromised. Your response will depend on what you sent.
I didn’t send anything sensitive. Still can’t quite believe I was careless enough to respond at all, but caught off guard, it can happen!
I don’t have 2FA turned on but yes, I’ll follow your advice and do so. Thanks.
How is the second factor delivered? Any option other than SMS? Perhaps most importantly, how does Google 2FA interface with Apple Mail? When Apple Mail tries to access a Gmail account with 2FA enabled, what happens?
Generally you have a choice, but these days Google wants you to install the Gmail app on a mobile device and approve logins with the app. You can also set up an authenticator app, but Google seems to prefer using the mobile app.
It uses OAuth to log in when you set up the account and it never prompts you again. It works perfectly fine.
Rather than writing something myself (and in addtion to @ddmiller’s post), here is some info directly from Google:
Next, when macOS, iOS, or iPadOS Mail sets up an account or encounters the need for 2FA for the first time, it automatically takes you through the 2FA linking process. For Gmail, Mail will use your default web browser to launch a “Sign In With Google” window.
I use the Google Authenticator app to generate and manage my Gmail 2FA codes. I have the Sophos Intercept X iPhone app, which contains a 2FA code function, but I’ve been too lazy to try its authenticator out.
How do you know when OAuth has been set up? Is there somewhere you can see an indication of it?
If you are successfully getting mail, OAuth is set up.
On iOS, iPadOS, and MacOS (and I suspect visionOS) when you set up a new internet account one of the options is “Google”. Choosing that walks you through a log in to your Gmail account and sets up the OAuth token that apps like mail, calendar, and contacts (and notes IIRC) can use to communicate with your Gmail account.
In the macOS mail app, if you open settings and go to the accounts tab and choose the Google account there is a status icon in the “Account Information” tab. It shows a green dot for me and says “online”.
You can configure several choices. In my case, I have:
- Push notification to my Android phone (which is always the default)
- Locally-generated code via Google Authenticator or other similar TOTP code-generation app
- Pre-generated emergency codes. You can generate 10 of these and print them out, for use when other mechanisms aren’t available. I keep these in my wallet (without any identifying information to say what these 6-digit numbers are). Each code can be used exactly once. You can always log on to Google’s web site to delete and re-generate new codes.
There’s nothing to set up. When you try to log in, you will provide your user ID. Then you’ll be presented with a web page (from Google’s server) where you enter your password and if necessary, 2FA code. Then that page will close and your mail app will get a token for all subsequent logins.
Wonderful, thank you both. Since I currently use Apple Mail successfully with Gmail and therefore presumable use OAuth, what is the benefit of 2FA? Is it to keep someone from accessing my Gmail using a browser?
Thank you. If I move forward with 2FA, those will help.
You may already be familiar with some of this but if not, a cornerstone of security, both online and offline, is the use of something you have combined with something you know to stop or to delay intruders and attackers.
A traditional example is the bank vault safe deposit box. It takes the combination of possession of an unlabeled physical key and the knowledge of the location of the bank and which individual box the key opens to gain access to your valuables. A thief who only is able to steal your key or only is able to find out you have a box at your bank can’t do anything with the single “factor”.
For Gmail, 2FA helps protect email accounts from many types of attacks, including your example of an attacker attempting access through a web browser after learning a password. 2FA also adds a layer of protection from phishing, hacking, large scale data breaches, and ransomware attacks on organizations. In all cases, the heightened protection comes from an attacker only having one of the two required authentication factors (most often the password).
The two solve different problems.
OAuth is designed to protect your account from buggy or malicious apps. For instance, suppose you installed a new third-party mail app, and discovered after the fact that it was saving your password in plaintext on their server for some reason (might be the result of stupidity, a bug or malicious - doesn’t matter). That would be very bad - it would force you to change your password and every app using it.
With OAuth, the app never sees your password. Only the Google server (which presumably can be trusted with your Google login credentials) sees it. The apps get an authentication token unrelated to your password, which you can revoke at any time using Google’s web site.
2FA is designed to protect you against someone who gets your password. Without it, anyone who gets this password could just log into your account - even with OAuth.
But with 2FA, they would also need to respond with the correct response to the challenge (e.g. a number from your authenticator app or clicking approval on a pre-authorized device). A would-be thief would need to get this in addition to your password. If a thief steals your phone (and has your passcode), it won’t help, but for the cases where someone on the Internet manages to get it (a more likely scenario), it will work, because that person won’t also have the device that provides the 2FA code.
Just remembered Apple has a built-in authenticator…
Just as an example, if you ever change your Google account password, Google will automatically revoke all OAuth tokens and every device and/or application that is set up to access the account will be required to log in again.
Thank you. I wasn’t clear. I was wondering about the benefit of 2FA for Google Mail if I’m already using OAuth. (And thank you for the info about Gmail.)
Thank you. You write such clear explanations and I appreciate it.
I added that to my reading list. Thank you.
Geez folks, let’s not forget that lots of things end up in Junk that don’t belong there! Maybe it was legit. But as someone said, simply replying should not compromise anything, just invite more junk.
In any case, I’m sure Gmail has instructions for how to change settings in various mail clients, including Apple Mail. And you won’t be locked out because you can always access Gmail directly with a browser.
True, true. If there’s any doubt, I guess the correct response would be NOT to click the Reply button but to create a new message from scratch.
I use Apple Mail and have found to be the Junk preferences to be pretty much worthless. It still insists on junking things despite the sender being in my Contacts, for example.
Apple Mail’s Junk is like a puppy that refuses to be housebroken.