Accessing Gmail via IMAP Using App Passwords

I've been feeling quite negative lately, so I decided to write some notes to shift my focus and, incidentally, leave a record for my apprentice.

Introduction

In the modern cybersecurity landscape, an increasing number of mail servers no longer support accessing emails via the IMAP protocol using direct user account credentials. Examples include: Deprecation of Basic authentication in Exchange Online and Gmail's control over access for less secure apps.

I haven't had the opportunity to work with Microsoft Exchange, so I focused my research on Gmail.

Enabling IMAP Service

If you search for articles online, you might see instructions to enable the IMAP service in Gmail settings. However, according to the official documentation on Adding Gmail to other email clients:

Starting in January 2025, the "Enable IMAP" or "Disable IMAP" options will no longer be available. Gmail will always have IMAP access enabled, and current connections to other email clients will not be affected. You do not need to take any action.

Therefore, there is no need to perform any additional IMAP service configuration now.

Enabling 2-Step Verification

Before creating an App Password, you must first enable 2-Step Verification for your Google account:

1. Go to Google Account / Security.
2. Find "2-Step Verification" under the "How you sign in to Google" section.
3. Set up a second step verification option. The following methods are currently available:
   • Passkeys and security keys: Create a passkey on your current device to sign in to your Google account securely using fingerprints, face recognition, screen lock, or a security key.
   • Google Prompt: When signing in on a new device, Google can send a confirmation prompt to all phones logged into the account. You need to tap the prompt to confirm that you are the one signing in.
   • Authenticator: You can obtain verification codes through an authenticator app, eliminating the need to wait for SMS codes.
   • Phone number: Google will send a verification code via SMS or voice call to the configured phone number.
   • Backup codes: You can generate a set of backup codes for sign-in; each code can only be used once.

If none are set up, Google will likely guide you to set up the second step using a phone number, which is actually the most convenient method.

Creating an App Password

1. Create an App Password via App Passwords.
2. The system will verify your account permissions using your second verification method. For example, if you set up a phone number, Google will send an SMS to your phone, and you will need to enter the received verification code.
3. Once verified, you will enter the page for managing App Passwords.
4. Enter a custom app name in the input box under "To set up a new app password, enter a name below." This is for identification purposes only.
5. Click "Create." Google will provide a 16-character password as the App Password and display the following message:

How to use it

Go to the "Settings" page of the account in the app or device where you want to set up your Google account, and replace your password with the 16-character password above.

This app password grants full access to your Google account, just like your regular password. You don't need to remember this password, so please do not write it down or share it with anyone.

1. Copy this password (please note that it will only be displayed once, so be sure to save it).

Basic Information for Gmail IMAP Configuration

The following is the basic information required to connect to the Gmail IMAP protocol:

• IMAP Server: imap.gmail.com
• Port: 993
• Encryption: SSL/TLS
• Username: Your full Gmail address (e.g., [email protected])
• Password: App Password (not your regular Gmail password)

Change Log

• 2025-03-05 Initial document created.