This lets each of your devices that you use your mail have a different password. The major advantages are if you lose a device, or it otherwise gets compromised:
-
You can just revoke that one device; you don’t need to reconfigure every device
-
If someone gets the password off the device before you revoke it, they just have access to your mail - nothing else that your normal password gives access to (eg SSH)
If you are running ga-verifyd (see github.com/fredemmott/ga-verify), uses with tokens setup will be prompted for their token when logging in.
There’s three parts:
-
A web site for configuring per-app passwords (standard rails)
-
A web service (/verify) for checking passwords
-
A script that can be called from pam_exec.so (script/pam_verify)
The latter is what ends up being called by your mail server when you want to authenticate.
-
Install like any other Rails app
-
Restrict access to everything except /verify (see htaccess-example)
-
Hook it into pam (see comments in script/pam_verify)