cancel
Showing results for 
Search instead for 
Did you mean: 

You must update your Rogers email account settings

57
Resident Expert
Resident Expert

I got an e-mail on one of my e-mail accounts this morning. Interestingly I only got it on one of our accounts, not the other three accounts that my wife and I have.

 

At first I thought it was phishing, but it appears that people who use certain e-mail clients (like Outlook) will have to reconfigure those clients for a "new password" (app password).  Webmail  doesn't appear to require the change. 

 

The e-mail states:

 

Important: You must update your Rogers email account settings.
 
Protecting your data is as important to us as it is to you. Rogers is making several security upgrades and implementing a new authentication system to further protect you and your data.
 
Rogers requires you to update your email settings to continue using your email account.
 
It only takes a few minutes of your time to ensure you have uninterrupted access to your email.

 

There is a link as follows indicating the people who need to do this, as well as instructions on how to do it:

 

http://www.rogers.com/web/support/internet/email/442

 

Please excuse me if this is discussed elsewhere. I did try searching and didn't find a thread on this specific topic.

 

***EDITED LABELS***

326 REPLIES 326

Re: You must update your Rogers email account settings

BS
I'm a senior advisor

@RichardF  If I am interpreting what has been put out there, you would be correct in what you just described.

 

Only way to keep your email secure on Outlook now is to put set up a user password for you as a local user.

 

 You will have to remember to log out, or have it go to locked screen saver in a short duration. Your outlook access can be set to be password protected using the user login password for Windows, and setting it to not remember your credentials will require a log in each time you try to access your Outlook email .pst files.

 

You can also lock a .pst file which is the data files for outlook accounts.

 

See https://www.lifewire.com/protect-pst-file-access-with-password-1173808

 

This model is intended for situations where there are multiple users on the same computer and you want to keep your mail secure from the other users, but it also works well for a single user, although I have never required outlook to request my user password, even when I did share it.  The password from the email server served that purpose.

 

So based upon what I have  seen so far, I would suggest that you go ahead with the passkey setup, saving it, then put a password on the user account (you will need to log in as that user each time) using either your username and passord for the Windows user account, or on Windows 10, you may be using a PIN to access.

 

Then turn on the user name password protection to outlook, and that will secure your access to outlook, and you can forget about this whole scenario that Yahoo/Rogers is implementing.  And yes, it appears that you will need a separate one for each device, but nothing to do on newer devices if you set it up using the yahoo automated setup process, and not the "other" setup.

 

Bruce

Re: You must update your Rogers email account settings

JKnott
I'm a reliable contributor

@AMur wrote:

Thunderbird isn't specifically on the list of mail clients that need to update.   I realize that they can't list all clients, but since I use it I assume lots of others do too [self-deprecation].    Anyone know if this applys to Thunderbird?


 

Thunderbird and Seamonkey both support OAuth2.  It's one of the choices under Authentication Method in the account settings.

 

Re: You must update your Rogers email account settings

RichardF
I plan to stick around
Thanks, those are helpful suggestions.

I already have user login accounts password protected. People don't do otherwise? Lol

As for the rest I think I'll set up a dummy account and walk it thru the process first.

Re: You must update your Rogers email account settings

JKnott
I'm a reliable contributor

@Attila_ wrote:

@ti3 wrote:

I don't understand how a randomly generated password from some app I'm supposed to trust is "updating my email account settings" other than getting me to use a password that I didn't select myself.


Exactly. Also, what happens if I want to use two different Clients on two different devices. Will one of them now not work? It seems Rogers is just pushing everyone to use other e-mail services.


 

My understanding is that you can use "Add Another" for each client.  Then each client will have it's own unique random number password and you copy the generated password to the email client.  You use this method only if your email client does not support OAuth.

Re: You must update your Rogers email account settings

JKnott
I'm a reliable contributor

@Attila_ wrote:

Can I opt out of this feature? I am happy with the way things are.

 

I have a cell phone on which I check my e-mail (leaving them on the server) and a desktop that uses Outlook where I download the messages.

 

How will this now work if I generate a password for the desktop using the Outlook flavor? Will my cellphone still be able to read the e-mail with this new password, even though it is not using Outlook?


 

Use "Add Another" to create a unique password for each client that doesn't otherwise support OAuth.

 

Re: You must update your Rogers email account settings

JKnott
I'm a reliable contributor

@BS wrote:
And this client is sitting on a pop server setting, not IMAP.  Thought they were dropping POP due to security a few months back.

 


 IMAP vs POP has nothing to do with security.  They both can use the same password methods and SSL/TLS.  The main difference is IMAP supports mulitple clients prperley and POP doesn't.

Re: You must update your Rogers email account settings

timlocke
I plan to stick around

Thunderbird: I only see that OAauth2  for the SMTP server  not for the POP server. Is that right?   Or do I have to change to IMAP?  I am running the very latest T'bird.

Re: You must update your Rogers email account settings

BS
I'm a senior advisor

That is what I am doing is running through a dummy account.

 

Just confirmed that 2 step authorization is not available and the web site they used to send us to, it puts us through the process, but the code never gets sent to my cell phone, and there is no way to turn it on and off if you chose too.

 

In Yahoo normal account settings, which we can't get at now as it takes us to the member page just put out by Rogers, so unlike in Yahoo's own email where you can set 2 step authorization, you can turn it on and off, and you can opt out of this new passkey model, but on our Rogers email accounts, you don't have that options, So, no you can't opt out by the looks of it.

 

Guess Rogers has decided to go a different model by restricting the full security choices and options that yahoo provides.  Guess they have decided their method is better than Yahoo provides. Smiley Very Happy

 

I am done for today, I will test the pass key stuff tomorrow.

 

Bruce

Re: You must update your Rogers email account settings

BS
I'm a senior advisor

@JKnott  Thanks for the clarification.  I know that POP and IMAP have nothing to do with security and the functional differences between the two.

 

Where that issue comes into play is that over the last year, their security certificate for POP access failed, and they announced and Rogers announced that they were dropping POP and maintaining only IMAP.

 

This is all I was pointing out is the amount of inconsistent communication that was coming out on the topic of security and all these changes.

 

It is also a persistent pieve for me and many others just how often Rogers communicates significant changes in an inconsistent and confusing manner.

 

That is all.  It was merely a rant, but now I am sticking to understanding just how does this thing work, although we may not fully understand until they fully implement it.  

 

For example, people have asked about 2 step authorization, which I am sure some have been using - there is no way to access the settings anymore, and the old help site that sent us to a Rogers page to set it up runs you through the steps, but doesn't send out a code to the cell phone, so I have asked for clarification on this from Rogers.  If I here anything different, I will post it, but for now, 2 step authorization doesn't seem to be able to be set up anymore.  Don't know if people currently using it can still use it or not.  I leave that to others to report.

 

Thanks again for the clarification.

 

Bruce

Re: You must update your Rogers email account settings

BS
I'm a senior advisor

2 step authorization, the one way from an post last year - provided this link

 

https://edit.yahoo.com/commchannel/sec_chal_manage?.scrumb=EEWWqyk1TBA&.scrumb2=Vt4IwHGWDsM&.done=&p...

 

Will not send the two step verification code, so guess that is now no longer in place.

 

Please could a Rogers Mod confirm if this is true.

 

Bruce

Re: You must update your Rogers email account settings

BS
I'm a senior advisor

@JKnott

 

I just tested on the most current Thunderbird client.

 

You are right, there is no OAuth2 in the pop settings.

 

It doesn't appear that you use the OAuth2 as the setting, you currently leave it as Normal.

 

I have got thunderbird to work on a dummy account with either the passkey, or the regular password - may change in future.

 

Interesting one though - I set one up on a real old client (Pegasus), and use the same key as I did for thunderbird.

 

It connected fine.

 

So either OAuth2 (the way it is supposed to work - with a token assigned to each device or application) is not functioning or not turned on, or this is not really OAuth2, just a randomized password generation.

 

Guess we will see over time.  I think I will pack in this playing - it was fun, but I think I know all I need to know for now.

 

For now:

 

either the passkey, or your regular password will work in thunderbird or pegasus

 

Both POP and IMAP protocols worked find for me with either passkey or regular password In spite of this yahoo help page https://help.yahoo.com/kb/SLN28161.html where they said POP was not functional after March 31st, 2017.

 

It doesn't seem that the authentication method has to be set to OAuth2 on thunderbird, but left as normal.

It didn't speak to this in the instructions, nor did it talk about secure authorization on Outlook 2013 and 2016.

 

And at the moment, you can use the same passkey on the two apps I mentioned, so I guess we won't fully know what the implications are until it gets fully turned on.

 

What a mess!!  Between Yahoo, and Rogers, there are two different messages when it comes to authentication using passkeys, or 2 stage authentication, and although Yahoo says you can turn it off in account settings,

Rogers does not permit us to get into those settings anymore, keeping us to the limitations on the member centre page for email accounts.

 

So maybe Rogers has decided to place their own restricted model of security layered on top of the Yahoo security models.  I don't know, that is just a guess.

 

I have done testing with a brand new yahoo account by the way, and everything that Yahoo says in terms of setting up security works just fine on old mail clients or on my phone devices.  go figure!!

 

Bruce

 

For now, I guess just follow the instructions on older clients and devices, and create a different one for each application or device since that is what they have instructed us to do and once it turns on, I hope it works properly.

 

Bruce

 

 

Re: You must update your Rogers email account settings

RichardF
I plan to stick around

Can anyone comment on how secure OAuth is?   Wiki is not encouraging. 

Of course if Rogers isn't actually using it, its moot haha. 

Re: You must update your Rogers email account settings

IUseAMac
I've been here awhile

Called Rogers again today, tech support has no idea what to do if one email program has more than one email account on it.

 

Joy.

Re: You must update your Rogers email account settings

JKnott
I'm a reliable contributor

@BS wrote:

@JKnott  Thanks for the clarification.  I know that POP and IMAP have nothing to do with security and the functional differences between the two.

 

Where that issue comes into play is that over the last year, their security certificate for POP access failed, and they announced and Rogers announced that they were dropping POP and maintaining only IMAP.



I wasn't aware of that.

 

Re: You must update your Rogers email account settings

First of all, it is recommended that each device you use has a separate code so that if a device is stolen or lost, you can trash that code to prevent access to your email on that device. So ideally if you were using one email address with say "bri" in the address you could name the codes "brimac", "briIphone", "briTablet" etc..

Secondly, as it currently stands (hopefully will change), you have to log into member centre with each email address you use, to generate you passwords for that email. Hopefully it will evolve that you can manage all sub accounts from the master email in member centre. Hopefully that clarifies things a little. Also these passwords are not sent to your devices, they have to be manually entered on each device/app. Member center just keeps a list of the nicknames for each password so that they can be trashed if required

 

Brian

Re: You must update your Rogers email account settings

RichardF
I plan to stick around

And this has to be done each time you change your passwords...

Re: You must update your Rogers email account settings

RichardF
I plan to stick around

I'm also not clear why traditional username / password is good enough for internet banking but not for email.

Re: You must update your Rogers email account settings


@RichardF wrote:

And this has to be done each time you change your passwords...


No, your password that you access the member center and mail.roger.com can be changed and it will not affect your app passwords.

 

So if I logon to webmail with so&so@rogers.com and XXXXXXXXX, I can change XXXXXXXXX to a different password and it will not affect my apps.

 

If you want a new app password for some reason, you can trash your old one and generate a new one, but there is no need to unless you delete an app or email profile and need to recreate it.

 

Brian

 

Re: You must update your Rogers email account settings

RichardF
I plan to stick around

Now I'm really confused.  Please straighten me out!  This is my understanding. 

 

For web mail etc there are in effect two passwords, an "app" password for the device / account that authorises mail on that device for that account.  The user still enters the account password.   The app authorisation, once established is hidden / automatic.   Account password can be changed without affecting app password and vice versa.  

 

For Outlook etc,  that do not support two passwords, one continues with single password.  But instead of user defined memorable password (e.g. baLrog&76 not saved on computer we move to system generated unmemorisable password that must either be written down and typed in each time or saved in Outlook, neither of which is recommended.    The user password has become the app password.  So to change the (user) password one must change the app,password.  

 

Out of curiosity, aside from this Rogers / Yahoo mess, is MS planning any changes to the password regimen for Outlook?   If not why not (e.g. Weaknesses in OAuth?), and if they are then of course this process becomes simpler, i.e. the app password wI'll be hidden just like in web mail. 

Re: You must update your Rogers email account settings


@RichardF wrote:

Now I'm really confused.  Please straighten me out!  This is my understanding. 

 

For web mail etc there are in effect two passwords, an "app" password for the device / account that authorises mail on that device.  The user still enters the account password.   The app authorisation, once established is hidden / automatic.   Account password can be changed without affecting app password and vice versa.  


Web mail is "mail.rogers.com" and uses only one password. Same password is used for "rogersmembercentre.com".

 

Hope that clears it up.

 

Brian

Re: You must update your Rogers email account settings

RichardF
I plan to stick around

Actually my url seems to be

https://ca-mg5.mail.yahoo.com/neo/launch?.partner=rogers-acs.......

not mail.rogers.com

 

Anyway ...

 

So web mail does not have any device authorisation?   I thought the point was that it did, but its all hidden from the user.

Same for (recent) iOS etc.

 

My question was really about Outlook, and how that works, and how one changes the "user password" in Outlook.

Is my understanding that in Outlook the user (mail account) password will now be the app password?  Etc etc.

There was a suggestion on there that I will try out ... to in fact save the new passwrod in Outlook but to fake a user mail account password by putting  windows password protection on the pst files, whic will trigger Outlok to prompt for password when the user signs in.