Having NR check email - feasability and security questions

So I won't pretend this is without security issues.

I have an understanding of it, but not sure I know the exact severity.

I'm wanting to have a script that checks if there are any new emails in/on my account.

Someone?

That will rather depend on who your email provider is.

gooooooooooooooooooooogle.

(yeah, I know)

I know that it used to be possible to read gmail from Node-red, I even wrote a howto in Gmail "Email-in" node no longer working with username&password - #5 by jbudd

The problem is you need to enable 2 factor authorisation on the account, which makes normal use of gmail more complicated.

I haven't looked at the node yet - sorry, busy - but I don't have 2FA on my gmail account.

I think you really should have 2FA enabled, it does make it much less likely that you will be hacked. I don't think it makes it significantly more complicated. It is only when logging on with a new machine or browser that it requires anything extra, typically a message to your phone with a code.

Sending email from node-red is easy enough. I don't know about testing for new mail though.

This wasn't for sending. More just .... monitoring the account, and if new emails come in, I am notified.

Sometimes I get a bit of tunnel vision.

(Reading the other thread, maybe there is 2FA. I have my set of machines all logged in and haven't added any for a long time.)

Easy enough to find out. Log out and back in again.

Done it a few times recently by mistake.
No checking.
Just username and password.
But there again, it was from a known device.

PLEASE get that fixed!! Now!!!

You used to be able to create an application code for accessing your GMail. I assume that is still true? You will need to register as a dev if you haven’t already and check out your dev admin pages. I don’t automate anything on GMail and rarely use it to be honest.

You should also be able to access GMail using standard IMAP features as long as you can work out the initial authentication (as above). And I DO have a fairly complete example of using IMAP from within Node-RED. I use it to process an inbox for a particular email circular where I pick out the HTML details, use HTML requests to obtain additional detail for each entry and store that to a JSON file. A separate flow delivers the data to a web page (via UIBUILDER of course).

By the way, my IMAP example, as it needed to be reasonably complex (IMAP is quite complex), is in a function node using a standard npm IMAP library for node.js.

Hmm a 5 shriek sentence, you clearly think it's important.

My wallet and phone live in different pockets but muggers have learned to take both.
Indeed some of them only target the phone, thus depriving me of access to any service with 2FA.

You are a 100 million times more likely to be cyber attacked than mugged. (Urm, OK, I might have made that number up! :smiley: ). There are a lot more people in the world with access to your virtual self than your actual self - by a more realistic factor of quite possibly a million.

When your phone is stolen, you do everything in your power to immediately get it IMEI locked and remote wiped. Then you are simply left with a denial-of-service attack which you deal with by using a cloud-based passcode and 2fa code manager such as bitwarden.

I don't really understand what that is but I think I can guarantee that the password I need to access it will be stored (encrypted) on my phone.

It shouldn't be. The hash will be stored but not the password.

1 Like

I thought that Google made 2FA compulsory some time ago. I may be wrong though.

Bottom line is that passwords are often easy to hack and even easier to get reset. With 2FA, you have a dynamic rather than static method that gets in the way of resets. If you have given your unlocked phone to a mugger, then the thing that stands in the way of them accessing your accounts should be the 2FA challenge which you have in an authenticator app which is protected by your fingerprint or a pin. That is EXTRA to getting access to your phone.

So someone having your phone does not have access to your accounts even if they get your password reset.

The main thing to remember is that if you are mugged (or loose your phone) - get it killed ASAP. A remote wipe gets rid of the data. An IMEI block makes the phone totally worthless. Most stolen phones go straight to the nearest dodgy phone shop for some cash for drugs. That happens within an hour. Sometimes they end up on their way overseas within a few hours. But mostly they get resold to other dodgy people who need a cheap phone.

Clearly Gmail does not require 2FA since neither Andrew nor I need phone at hand to access email.

I have never had my phone stolen so I don't know how, in the back streets of Casablanca, I would go about finding a trusted computer to get it locked, blocked or smoked.

Besides, it's not punishing the thief that concerns me, it's being able to interact with my family, hotel, bank account.

I expect there are good articles available on how to get your life back after losing your phone, but all of the ones I have seen focus on killing the phone.

I'm starting to set up 2FA, but would like to confirm:
(No blame assigned)
(I have only just got up and can't remember much said last night)

If I have 2FA, and I want to check email on ..... any of my devices:
I am going to have to 2FA before I can read them?

Whether you have 2FA or not will neither help nor hinder that.

Once you’ve killed the phone, you simply get a new one and recover everything from your cloud backup. It isn’t hard really. And wherever you are in the world, if they have mobile phone coverage, they will have mobile phone shops.

Nothing I’ve written here is about that.

It matters not whether your phone is stolen, lost or broken (and likelihood is the reverse of that order by the way), it is gone. Getting back to family, etc is about getting a new device and recovering from your backup, there is no getting around that.

2FA is about surviving a VIRTUAL attack, not a physical one.

And by the way, recovering access to accounts is MUCH EASIER with 2FA because the alternative usually requires a specific phone number and you may not have access to that any more. 2FA is based on a fixed salt code which is why you can backup/restore authenticator apps.