I informally try to help quite a few Google users with their Google-related issues when I can. Many of these involve Google Account problems of one sort or another.
I’ve frequently written about why it’s so important to use Google’s 2-step verification systems, e.g. in: “Protecting Your Google Account from Personal Catastrophes” —https://lauren.vortex.com/2017/09/07/protecting-your-google-account-from-personal-catastrophes — and various other posts.
I’ve also noted some of the reasons why Google users tell me that they don’t use Google’s 2-step verification, e.g. in: “Google Users Who Want to Use 2-Factor Protections — But Don’t Understand How” — https://lauren.vortex.com/2017/06/10/google-users-who-want-to-use-2-factor-protections-but-dont-understand-how — and related discussions.
Google recently announced that fewer than 1 in 10 Gmail users have 2-factor enabled on their Google accounts — so this is a very serious matter.
Yesterday, I was approached by a long-time reader who told me that he had long been trying — without success — to use 2-factor, had been unable to get assistance from Google in this regard, and wondered if I could help. Perhaps you’ve had the same problem.
This Google user needed to make use of various non-Google applications via his Google account, that seemingly would only function when his Google account had 2-factor disabled.
Google actually has a mechanism (that I’ve routinely used myself) for dealing with this — though you may never have heard of it — called “application specific passwords” (aka “App passwords”). Using this system, you can assign secure passwords to these kinds of apps that will work with Google 2-factor enabled.
But this user was unable to access the Google page for setting up these passwords:
https://security.google.com/settings/security/apppasswords
Whenever he tried, he received the obscure error message:
“The setting you are looking for is not available for your account.”
Hmm. Not very helpful. He got this message every time he tried, so he finally gave up on enabling 2-factor at all.
When I looked at this in detail, the solution turned out to be trivially simple, in retrospect. You can’t access the apps passwords page unless 2-factor is already turned on!
He’d been trying to use his apps with 2-factor on and always failed. So he turned 2-factor off. Then he learned about the apps passwords and wanted to set those up — but couldn’t reach the setup page. So he left 2-factor turned off (so that he could continue using his apps).
Chicken and egg!
Now, the fundamental problem here is obvious. That error message should have told him something like:
“You cannot use app passwords unless 2-factor is enabled.”
That would have given him the clue he needed to have immediately fixed this entire situation by himself.
A similar situation exists for G Suite users, who must both have 2-factor enabled and have had their administrator enable “less secure apps” before they can reach the apps password page successfully.
Complicating this all a bit more is that changes to Google Account parameters don’t necessarily seem to always take effect immediately. It appears that sometimes there is a lag before all background systems apparently sync up. So for example, if you turn 2-factor on and immediately try a test that requires 2-factor, it might not work unless you’ve waited long enough after changing that parameter.
It’s really, really important to enable Google 2-factor. I can’t emphasize this enough. If issues with non-Google apps have been preventing you from using 2-factor up to now, please give it another try as described above. As always, I’m glad to try assist. Take care, all.
–Lauren–
Hi Lauren,
We worked with Yubico to improve their documentation and interaction. We found some surprising results, but the core issues in acceptability it that people see no benefit. I advocate for positive feedback, because the benefit provided by good security (like good public policy) is usually invisible. . “The improvement of usability did not automatically result in improvements in acceptability. Participants continued to express belief in the strength of passwords alone, showing undue faith in their own security acumen. We conclude with compliments to the usability of the 2FA token, and with a warning that even the best designed hardware will not be used if the benefits are not apparent. ” https://fc18.ifca.ai/program.html
Thanks — though it’s both depressing and unsurprising.
I now use the Titan Sec-Key & have had 2-step activated for over 30 hours but still get the “The setting you are looking for is not available for your account.” error when attempting to set an app-pass for Thunderbird. Any suggestions?
Assuming that you aren’t using G Suite (where the admin settings issue mentioned in the main post would apply), I’d suggest turning 2sv off, wait an hour or so (to help make sure changes have propagated), then turn it back on fresh, wait another hour or so, then try set the app passwords. Normally, the only time you should get that “not available” error is when 2sv is not already enabled on the account by the user, or when a G Suite admin doesn’t have user access to 2sv enabled.