I’ve granted eM Client access to my Gmail account from two different Windows 10 machines. Since I don’t have access to the second machine anymore, how can I revoke eM Client from accessing my Gmail and Calendar account only for that second Windows 10 machine?
Things I have already tried on my Google account:
Change the password of my Google account. => eM Client is still syncing without any prompt so password change does not seem to revoke existing tokens.
Enable/disable two-step authentication => eM Client is still syncing as this does not seem to revoke existing eM tokens
Removing a device under “Your devices” in the “Security” section of my google.com account does not remove access to 3rd party apps as per Google message: “You’ve given third-party apps access to your Google Account. If a third-party app is installed on this device, this app might still be used to access your account.”
Removing eM client access as a 3rd party apps and then trying to access my Gmail/Calendar account from eM Client again requires me to sign in to my Google account but in doing so, I am giving back access to eM Client as a third-party app. Therefor in doing so, am I giving back access all the machines that use eM Client again?
Anyone knows for sure how I can revoke eM Client access for that second Windows 10 machine that I don’t have access anymore?
If you remove any other device other than the device / computer you want to use in Google Security https://myaccount.google.com/security then that’s all you need to do. Iv’e done that before & no problems. I presumed you also wiped / erased your other computer you are no longer using.
I also enabled 2 step verification in Google my account security section to avoid anyone accessing my Gmail from another location which works fine with EM Client.
FYI I don’t have access to the other computer, so I cannot wipe/erase anything on it but I do want to prevent any unauthorized access should someone starts eM Client on that machine, thus my question.
From the “Manage your Google Account” web page going to the Security setting, then “Your devices”: removing all the devices does force me to login again to my Google account when I use my browser but it does not make any difference to the eM Client i.e. eM Client still have access to my Gmail/Calendar data even if I don’t login again. I believe eM Client always use an OAuth token that gets created on the machine when my Gmail/Calendar account was first added to the eM Client.
Ditto for two steps verification, no impact. eM Client can still access my Gmail/Calendar as if nothing has changed.
Removing eM Client as a 3rd party apps in my Google account does revoke access to eM Client but I believe it does so for all Windows 10 machines since there is only one entry for eM Client as a third-party apps in my Google account (i.e. not one per machine).
For example, after removing eM Client as a third-party apps, if I try to access my Gmail/Calendar account from eM Client again, eM Client opens up my browser automatically and waits for me to sign in to my Google account and register eM Client as a third-party app again. After that, eM Client on that machine gets access to my Gmail/Calendar again without further intervention. Good but…
Since I cannot have access to the second machine and test this, my question is: “By re-enabling eM Client as a third-party apps in my Google account, am I giving back access again to all the machines that used eM Client with my Gmail/Calendar account/OAuth token?” In other words, I think I have only flip the third-party access switch off and on but did not reset anything thus the second machine is still having access.
If you change your Gmail password (which you advised you did) even with 2 step disabled, then no one could normally access your EM Client Gmail account (email or calendar) etc, as they will get a username & password box appear when using EM Client to re-enter the password.
Same goes for any other email client that tries to access Gmail when the password is changed. Even if there is a OAuth token if the password does not match they won’t get in.
Note:- If they can get in (even with the password changed at Google) & 2 Step enabled, then that’s a security hole at Google which i doubt there is. You would have to be a genius hacker to bypass that.
You could also enable the new Google “Advanced Protection Program” https://landing.google.com/advancedprotection/ which in addition to a password to sign in to your Google Account, requires you to use either a physical security key, the security key built into your Android 7.0+ phone, or your iPhone running iOS 10.0+ with the free Google Smart Lock app installed. I don’t know though if this will have any issues or work though with EM Client.
Thanks again for your input. I will take your suggestion and see what the Google community forum has to say about third-party apps authorization.
Meanwhile maybe someone from the eM Client team will be able to share some light as to how the OAuth token handshake with the Google system and how persistent is that token once it has been created on the client machine.