This lets each of your devices that you use your mail have a different password. The major advantages are if you lose a device, or it otherwise gets compromised:

• You can just revoke that one device; you don’t need to reconfigure every device

• If someone gets the password off the device before you revoke it, they just have access to your mail - nothing else that your normal password gives access to (eg SSH)

If you are running ga-verifyd (see github.com/fredemmott/ga-verify), uses with tokens setup will be prompted for their token when logging in.

There’s three parts:

• A web site for configuring per-app passwords (standard rails)

• A web service (/verify) for checking passwords

• A script that can be called from pam_exec.so (script/pam_verify)

The latter is what ends up being called by your mail server when you want to authenticate.

• Install like any other Rails app

• Restrict access to everything except /verify (see htaccess-example)

• Hook it into pam (see comments in script/pam_verify)