What are the advantages of using OAuth authentication in my desktop email client instead of an "app password" aka "secure mail key"?

Question

Google allows the use of OAuth authentication to fetch email, but also the use of a lengthy "app password" generated by Google instead of an account password. Yahoo/AT&T also allows the use of a "secure mail key" in lieu of OAuth - the "secure mail key" seems the same as an "app password". How does OAuth provide more security, and what other advantages does OAuth offer over the "app password"?

Answer 1

They are similar, but:

1. App passwords are managed manually (copy-pasted, etc.) with each site having its own mechanism. OAuth2 tokens are issued more or less automatically in a more or less standard way.

   (In theory, OAuth2 also has flows which allow limited devices (e.g. smart TVs with tedious on-screen keyboards) to obtain tokens without much input at all – you log in through your computer to get a numeric PIN, enter that PIN on your smart toaster or fridge or whatever, and now it has an OAuth2 token without the need to enter a long app password.)

2. At most services, all app passwords identically grant the same wide variety of permissions. OAuth2 tokens only grant the specific access that you've confirmed (e.g. only Gmail, or only Drive, or only Calendar).

   (Some services such as GitHub allow specifying scopes even for app passwords, but then you still need to know exactly which ones you'll need, and I would bet most people just click "All of them, thanks" and then use that single app password everywhere.)

3. OAuth2 uses a two-tier system, with a long-lived "refresh" token that is only sent to the authentication server, and a short-lived "access" token that the client replaces every X days.

   Depending on how the service was designed, this might actually guard against some security compromises on the service's side (e.g. a compromised IMAP server could collect forever-valid app passwords, but it cannot actually obtain OAuth2 refresh tokens – only temporary access tokens).

4. App passwords work with any app. OAuth2 requires each developer to register their app as a "client" and allows Google or Yahoo to impose whatever silly development policies they want this week.