Prepare to make security changes to your email accounts by May 30, 2022.
For a long time, automation engineers have sent email alerts and reports from automation applications via a ‘throwaway’ Gmail account. This seemed harmless enough at the time and really useful, but it wasn’t very secure. As email abuse has risen over the years, it's time for the “less secure” party to come to an end.
Does this mean an end to all email alerts? Not at all. You just need to adjust your Google Gmail settings and update to a new application password in each application. Of course, this applies (with different end dates) to most other email providers as well as Google; check with your email provider for details. This blog will focus on Google Gmail.
How to prepare
From a very high level, here is what’s involved.
- Identify all the applications using the current less-secure user/pass email credentials.
- Log into your settings for that Gmail account and turn on two-factor authentication (2FA).
- Generate and use an application-specific password. (Opto 22 strongly recommends using a unique one for each application using that Gmail account).
If you are anything like me, you probably have a bunch of apps you have spun up and forgotten about that are sending you emails at random times of the day, night, and year. The best way I can think to track them all down and make a list of them is to log into that specific Gmail account and look at your ‘sent’ folder. You may have to do some filtering, searching, and sorting, but it will be well worth the time up front to identify each application using that less-secure email user/password authentication.
Why? Because if you don’t switch to an application password, after May 30th 2022, it will just silently fail. You won’t get an email from the application saying it can't send the email. You just won’t get the alert or report at all. You can’t know what you're not told.
Example: my smart home
In my case, a sent mail folder audit shows a cornucopia (abundant supply of good things) of devices that are using my main ‘automation’ Gmail account. Security camera movement alerts (DVR), aircraft tracking alerts (Node-RED), high altitude and radiosonde balloon notifications (Docker), garage door left open (SNAP PAC controller), high- and low-temperature alerts from the kitchen refrigeration monitor (MQTT), and many other apps like groov View that have a whole slew of alerts built into each of them. The list is a bit long and scary, but at least I now know all the places I have been getting email notifications from.
Ok, so now that we have a list of all the sources, we can go ahead and change the main email account to use 2FA (two-factor authentication) as per Google's new requirement. Don’t worry, this doesn’t mean you’ll have to enter a code every time an email is sent. The 2FA is just for the initial setup.
If, like me, you have multiple apps sending emails, the next step is to decide if we are going to use one application-specific password for all apps, or generate a unique one per application. The big advantage of that second choice is if one application gets compromised, you don’t have to worry about changing all the other applications when you create a new password to replace that one bad one. If you only have the one application, then it's a non-issue.
To give you more details on the changeover, our documentation team has prepared a tech note with instructions.
Once each application has been switched to the application password authentication, you should send a test email to be sure that it’s working as expected.
And going forward, with 2FA and a unique application password per application, your email account will be a lot more secure.
Cheers mate,
-Ben