Windows 7 could be a problem, as it’s part of team obsolete.
There are several authentication choices, if you are lucky, you can use the same for all. I'm stuck with Microsoft Authenticator, Duo, and ie.me, and more. Rather than avoid it, which is a losing battle, just do it.
I don't know if Windows 7 will be an issue, at some point it will be but you can use your smartphone or tablet. These authentications often use text, some even allow telephone call so they are pretty inclusive.
I'm on Windows 11 pro on all computers, iPhone and iPad with newest updates.
Email won't care, so far, but some services will require you install and use an approved virus application.
I'm not getting notices on my accounts, I have Apple, Outlook, and Gmail accounts for work, business, and school (volunteering). So maybe you are facing issues with the service provider you are using. You may need to read the details of what they wan't.
Lurking to see the answer for question #3
You could try using something like Roundcube or Horde.
Both are kind of crude/basic, but they work just fine.
Do you have a choice for who hosts your email? I'm using Gmail for personal and my company because no one blocks Gmail. I use through school and clients 365 and exchange emails because I have no choice.
Whatever email service you choose or are forced to use will determine your email application or browser to use. You'll still be stuck with authentication with any choice.
If you pick a host for your email recognize that they are shared services and you may get blacklisted because of their other customers. That is why I moved my email to Gmail.
On my computer, I use Microsoft Outlook and have since it came out. It is business caliber and works with Teams and everything else I do every day. That's a high bar not needed for a personal or throwaway email. I have other email that I only access via the browser, but they are not that important to me.
BTW, no matter what I choose, I have zero expectation of privacy. While I don't do anything illegal, if I did, it wouldn't be via email regardless of the provider.
Why would anyone even use a local desktop email client? Open that stuff remotely on a remote email sever and add that extra layer of isolation from your machine.
i second what i repeated from another freeper below: i use W7 SP1 and tbird 91.9.0 [later versions were buggy as hell when i tried to install them some time ago and i just stuck with 91.9.0] ... with the above combo i successfully use OAuth2 with gmail, but as said below, there’s a process to get it to work ... but once established, it just keeps trucking along ...
here’s what another freeper said:
“Answer is, you don’t. Thunderbird is completely compatible with OAuth2. I know, I use Thunderbird as my primary email client, and I use it on Windows 7. It will, of course, work on everything since then as well. When you set Thunderbird for OAuth2, that’s it. No more work required, and you don’t have to use two factor authentication. And you can also use Outlook, everything from 2010 forward. Now, that said, there is a process that has to accomplished to do that, but it can be done.”
and here’s what it took for me to upgrade from ancient tbird 45 and get OAuth2 going on gmail:
just wanted to post my experience trying to get gmail oauth2 to work with TB ... i’ve posted this information a couple of other places but want to make sure folks can benefit from the DAYS i spent trying to get this to work ...
i’ve been running TB 45 forever and gmail oauth2 definitely didn’t work for me with TB 45 on W7 x64 ... i first updated to 91.9 but still no dice ... deleting multiple suggested TB config files didn’t solve the problem either ... i ultimately discovered that the problem was that NO passwords would save for any of my TB accounts, which of course includes oauth tokens that are now stored in the password file ... it was also NOT practical to recreate accounts from scratch since i had to fix this problem for many clients and myself, and many of us had multiple accounts configured in TB, with many of the accounts containing 30 GB or more emails that would have had to be reloaded from the servers, plus all local emails would be lost unless manually copied from saved profile folders ...
so here’s what i finally came up with to get this upgrade to work reliably:
1. first make a backup copy of the local/thunderbird and roaming/thunderbird folders
2. next run TB 45, remove all addons, and exit (these addons are all going to be obsolete anyway, and removing them now cleans up prefs.js)
3. uninstall TB 45
4. empty local/thunderbird
5. delete everything in roaming/thunderbird except: prefs.js, Mail, ImapMail, virtualFolders.dat, folderTree.json, directoryTree.json, and *.mab files (most of the files and folders to be deleted are obsolete anyway, having been left behind as i upgraded TB over the years from TB 2 to TB 45, and any necessary ones will automatically be recreated by TB 91)
6. install TB 91.9 x64
7. run TB 91 and when the profile section box pops up, select the default profile, checking the box to remember it permanently
8. TB 91 will convert all gmail accounts to oauth, so popups for the oauth login procedure will occur for all gmail accounts, so go through the google oauth process for each of those, providing the required password and any subsequently requested secondary security verification information via smartphone SMS or secondary security email security code, and also indicate to all other google security verification emails that you are the one who initiated these activities ... also enter and save conventional passwords as well for non-gmail accounts ...
9. you can verify that all conventional passwords and oauth tokens got saved via viewing TB preferences/privacy & security/saved passwords
10. import contacts in all .mab files (which are obsolete and unrecognized by newer TBs)
10. nice addons are Phoenity Buttons, Phoenity Icons, riseofthetools, search button, lookout (fix version)
11. some old x86 TBs leave behind broken (and unnecessary) user registry keys regarding TB mailto protocols that will interfere with mailto protocol defaulting to the new TB, so these must be manually deleted for each logged in Windows user with .reg file:
Windows Registry Editor Version 5.00
[-HKEY_CURRENT_USER\Software\Classes\Thunderbird.Url.mailto]
&
[-HKEY_CURRENT_USER\Software\Classes\ThunderbirdEML]
12. TB font sizes can be changed by changing the value of font.size.systemFontScale from 100 to something larger (or smaller) in general/config editor ... Ctrl-mousewheel zooming can be activated via the config editor with “mousewheel.withcontrolkey.action true” ... nonetheless, it’s EXTREMELY unfortunate that TB has dropped builtin zoom buttons and no addon exists for such buttons because i personally HATE the inefficiency of having to remove my hands from the mouse to perform keyboard zooming ... i guess we visually impaired folk don’t matter much anymore ...
13. manual updates only (with prompting) can be specified via policies.json file in “C:\Program Files\Mozilla Thunderbird\distribution”:
{
“policies”: {
“ManualAppUpdateOnly”: true
}
}
“You must set it to OAuth2.”
What even is that?
You can actually call Apple for help!
Buy this laptop with 16GB RAM /Windows 11. With an until 2026 warranty for $337 https://tinyurl.com/jkpnhpyc
Buy a 24” external monitor for $80-$100. Connect them via HDMI.
Toss your relic Windows 7 computer into the trash. Or see if someone will accept it as a gift. Which is bloody unlikely.
A quick primer on multifactor authentication (MFA). MFA works on the concept of having multiple ways to authenticate who you are through something you know (like a password), something you have (like a mobile phone), or something you are (like a thumbprint, facial recognition, or iris scan). Two passwords don’t count as multifactor, because it’s two of the same method of authentication. Same would be authenticating using a thumbprint and facial recognition. While difficult to compromise, they’re still two of the same factors.
Let me address your questions out of order a bit.
Can you have an authenticator app on your laptop? Short answer: no. Your laptop is something you have, yes, but it’s also the device on which you’re trying to perform the authentication, so a password PLUS the authenticator on your device are technically the same factor. Mobile phones are so ubiquitous that authenticator apps are an easy extension of the authentication library. Pro tip: it doesn’t matter which authenticator app you use, even if it says “Google Authenticator,” you can still use Microsoft or any other authenticator app with a private key stored and secured on the device that supports OATH.
You’re having trouble receiving verification codes from Microsoft, because Microsoft deprecated telephone-based authentication methods over a year ago. NIST, the de facto government agency for cryptographic standards, deprecated and urged government agencies off of phone-based authentication back in 2015! You should not rely on phone calls or SMS for verification. Why? There have been a number of articles in cybersecurity circles detailing how threat actors will go to local Verizon, T-Mobile, Boost, etc. brick-and-mortar stores, flash $1,000 cash in front of one of the agents for a SIM card programmed to your phone number, and boom, they now have your phone. Literally your phone. It’s happened in a number of recent very high profile breaches. You CAN configure Microsoft to text or call you, but it’s no longer the default. You have to go hunt for the setting, but it’s there.
I’d personally recommend Outlook, even if you just use Outlook web access. It’s available on all mobile platforms and works very well with all mail providers. Your mileage may vary.
Finally, if you’re running on Windows 7, please consider upgrading. I know, I know, “From my cold dead hands,” but as a cybersecurity practitioner, I have to warn you, there are numerous zero day escalation of privilege and remote access vulnerabilities in Windows 7. If your machine is so much as attached to the Internet, you’re at risk. As someone who works with security folks in agency secure operations centers (SOC), I can tell you first hand that threat actors are actively scanning your network daily if not hourly. It takes one bad ad delivered to your machine or a wrong click, and your Windows 7 box is one of the easiest to compromise still out there. And your VPN isn’t protecting you, it’s just obfuscating your endpoint IP address. It’s still a two-way communication channel.