Welcome to the mailbox.org user forum!
 

Let's talk about 2FA on this website. Again.

drdarkmode shared this idea 4 years ago
Proposed

Hello Mailbox community.


We already had several discussions about 2FA on this website. It's being done a bit differently here. Usually you have Password+2FA(OTP). On this website you use NEWLY_GEN


ERATED_6_DIGIT_PIN_INSTEAD_OF_PASSWORD+2FA(OTP).

Some people think this is a good idea because any password is apparently equally safe when having 2FA(OTP) activated.


I love.. your service. But one of the very few thing that i don't like on mailbox.org, and in this case it's a major thing for ME, is the way 2FA is being handled.


I think we can all agree that what I and several other users want, and how Mailbox is currently handling 2FA is at least; EQUALLY SECURE.


So i ask you, and i hope i'm not alone with this, to please, just enable both methods. Let me have my password + 2FA and not a 6 digit password.


Just make it optional. It's equally good. Some people prefer it the mainstream way and you can do it all with the same tools..


please please please!

Replies (34)

photo
2

I've posted a similar thing some days ago. https://userforum-en.mailbox.org/topic/password-recovery-process-and-security-flaw

If you have 2FA, so PIN + OTP, you can reset it with password reset process, because it reset the 2FA method.

There are three ways to reset the password of the account:

  • secondary email (if you have set one);
  • phone number (if you have set one);
  • receive an email on your mailbox.org if you still have IMAP access.

This last option, IMHO, is a security problem.I have suggested, like other people, to add app password (like mainstream services) or remove this third option and generate recovery codes for 2FA.

Hope that it will be added, because mailbox.org has the better configured servers (TLS cipher suites, DANE and DNSSEC) of all the email services I have tried.

photo
2

If you receive it by e-mail because you still have configured an IMAP client, then your password *IS* stored in *plaintext* in the config of that IMAP client.

If somebody owns the device, he owns your password anyway. That's how it is.

photo
3

That's correct. But with app-specific passwords, this scenario would not happen and it would be much more secure, as I can revoke an app-password if I lose my device etc.

photo
2

The only way it should be possible to reset the Password is (optionally) with a secondary email or with your security code written down before setting up 2FA


The biggest problem is also:


When i setup 2FA there has to be a process of confirmation. You can't just make noob users be confused about setting up 2FA without any first confirmation..


"have you written downyour code"


"confirm code hre".. etc..

photo
1

Using 2FA means you rely on your OTP as main source of security.

Which means a 6_DIGIT_PIN+OTP is more secure than just a password.

If OTP is secure conceptually we can all agree that 6_DIGIT_PIN+OTP is not more, or less, but EQUALLY secure as USER_GENERATED_PASSWORD+OTP.

I would LOVE to see that mailbox.org listens to it's customers in that regard. You can achieve an EQUALLY secure mailbox by enabling your users the possibility of YOUR way of handling 2FA but also enable the more commonly used way of USER_GENERATED_PASSWORD+OTP.


It would make almost no difference and would eliminate a lot of confusion. And i try to argue this also, additionally, with your own philosophy of making things easy, in order to make them secure.


And the last thing that i mentioned before also:


Please! Before finalizing setting up 2FA on your website. Give the user the possibility of checking if their generated token is valid with a confirmation setup. Never make a token valid until it's confirmed by the user that they know what they have done. A lot of people here on this forum become super confused over this issue.


It should always be:


WRITE_DOWN_BACKUP_KEY_FOR_OTP_GENERATOR_SAFELY ->

CONFIRM_AUTHENTICITY_BY_TYPING_OTP_ONCE_WITH_PROVIDER_BEFORE_ACTUAL_USAGE ->

LOGIN_WITH_CONFIRMED_WORKING_OTP

photo
1

@Peer Heinlein:

If someone has the password, he can read all e-mails (if not encrypted), what would be already very bad. But with the above third password reset option an attacker would be also able to completely overtake an account and lock the legitimate owner out. This is because the password reset switches the 2FA off (correct me if I'm wrong). In connection with the possibility to have anonymous accounts, this could be a major problem.


However, I can understand, that without this option you will probably get a higher amount of support requests from people, who lost the access to their account. Maybe a password analogous to the telephone password for resetting the password online might help. Or let users choose to switch off the third password reset option on their own 'risk' and let them pay for the support, if they locked out themselves, because not having configured alternative password reset options (like mobile phone number or alternative e-mail address)...

photo
1

@Peer Heinlein


It is a simple question. Why not allow users to create their OWN Password when creating 2FA.


Why can't i choose my OWN password instead of a 6 DIGIT PIN.


It is literally EQUALLY secure if you forbid to use the same PW again. (using YOUR philosophy, i would regard this as the users problem and not yours, but arguing in terms of mailbox.org's thinking)


Why can't i use my SELF GENERATED PASSWORD. Why am i forced to use a 6 Digit Pin ? I don't feel safe with this. Even though i understand why it IS secure. But my own password will be EQUALLY secure, if not _theoretically_ even more secure because it is obviously longer than 6 digit number..


just allow the option to let users create their own passwords when creating their 2FA.

Also you will not get more support requests if you allow users to use their own password.

the password reset part is not the issue here.


please!!!

photo
1

@Peer Heinlein Thanks for your reply. It's always good to hear "official" replies.

I know, the case that I've described is not going to happen so often. Probably never. :)Because if someone steal my laptop I have some sort of password and encryption on hard disk, it's not enough, but is a bare minimum.

What I was trying to say is: "If the email client has some security flaw (CVE vulnerabilities) and someone find a way to steal my plaintext password, even if they don't have my device".

Pretty paranoid, but removing the IMAP recovery will make us more secure I think.

photo
1

@Peer Heinlein


You still have not answered my question. I'm asking about the possibility to replace my 6-digit-pin with a newly self generated password. The moment you set up 2FA you generate a 6-digit-pin. I ask you to enable an option to create a newly, self-generated password.


It will be a new password on top of your old login password just like your 6digit-pin, but can be inherently more secure because it can provide more characters and digits than your 6-digit-pin.


I'm literally not arguing that it's MORE secure. I'm saying it is equally secure to not stir any unnecessary discussion about it.


Please just enable that option and add a 2FA verification process that tells you if you have set it up correctly before logging in again. You see how many people logged themselves out already.


I would appreciate comments on those points which i have also mentioned in all my other writings/comments above.

photo
6

I'd like to add my voice to this thread: mailbox.org's implementation of 2FA is unintuitive and at best a cause of frustration.


I was seriously tempted to begin my search for a privacy-focussed mail + cal/cardDav service all over again after experiencing this "We know better than our users" attitude apparent in the 2FA setup interface.


Provide your users with the 2FA experience they are accustomed to from all the other 2FA-empowered websites on the net. Stop trying to "be right". Your current setup breaks users expectations as well as their password manager + token generator setup and makes users NOT use 2FA, which makes everything LESS secure.

photo
photo
1

6 digit - you are lucky - for some reason I can only set a 4 digit PIN. I am taking solace in that the password is effectively different every time anyway, but it just feels wrong having to only remember a 4 digit PIN.

I agree I would much rather have the option of a strong 20 character password in front of my YubiKey.

photo
3

Hey, i don't want to open a new topic for this again. I see i am not the only one frustrated with this.


My mailbox will run out soon but i will always be here in the forum and wait until your flaud password policy will be addressed finally


And btw: when legit darkmode?

photo
1

Any news on this? Is it possible please to just answer this topic to let us know if this will be done some day or never.


As there is no answer and no change i guess we will just keep having the feature as it is and nothing more at least it's better than nothing

photo
4

I'm sorry, but it's not equal secure. It's much much much more INsecure. It is. It is. It is insecure. It is. Totally. Really. Yes. It is.

mailbox.org does not only offer a webinterface (like other services!) where we can restrict access and we can forbid any login with password-only. We also offer different/many different services and protocols like SMTP, XMPP and much more (and much more will be added in the future) that must still be open for password-logins. For that, a stolen/sniffed password CAN be used to gain access to different services and accounts.

It's totally not comparable to a single web-page were a stolen password from a OTP+password-Login is useless.

We will NOT bring our users in insecure and unsafe situations no matter how many people does not have understand what is secure and what is not secure and why/how different solutions on the market promise security but -- at the end -- do not keep their promises and are just a kind of fake and a risk for their users.

Sorry.

For general we're re-writing our auth-backend and there will be changes like different password and more ways to use OTP. But in no case we will enable an OTP login where real password become compromised. We will not do that even if 95% of all users have not understood how OTP and password hijacking works and what kind of risk bullshit those solution would be.


[Sorry, I wrote this 8 month ago, but I saved it only as a draft and haven't published it. My mistake. Sorry-]

photo
2

Thank you very much for the answer :) yes i know that it is secure and how it works it's just the fact that it remain only digit password...

> For general we're re-writing our auth-backend and there will be changes like different password

That would be amazing if we could have a second password for the web-interface and or a second password that would replace the pin

Thanks a lot, and great work you are doing here with your services it's amazing :)

photo
1

I am also frustrated by the implementation of 2FA and do not think it is very secure. The whole point of TWO-FACTOR is that it requires two separate factors to log in. So the choices that I have seen are that I can either have a strong password, OR I can enable the one-time password and essentially downgrade the security (4 digit PIN + 6 digit OTP, essentially a 10 digit number - how hard would this be to brute force?? i.e. 1e+10 vs. my normal password 2,2e+102‬ ) of my account while simultaneously making it more cumbersome to log in.

photo
1

It would take a while to brute force that 10 digit number, because you only have a window of 30 seconds. And only 4 digits are static, the other 6 will change with every new window.

photo
photo
3

i think everyone will be happy if we could just use a secondary password instead of the pin

photo
3

yes i agree, i think people would like that (i know i would).

photo
1

Hey, OP here.


Herr Heinlein, bitte!


We have enough support for this. Please make this proposal optional at least... :)


It would be greatly appreciated by the mailbox.org community.


Happy new year everyone.


Ps: When darkmode :D

photo
8

It is rather apparent that the community is trying to provide feedback into the MFA process that is currently being utilized and its falling on stubborn ears. To me, its really quite simple and can be summed up in a few facts.

The current MFA setup is confusing, disorganized, and poorly implemented. MFA implementation can prevent up to 90% of account take overs. You would think that a developer who markets themselves as a security focused provider would take much greater care in its implementation. I utilize MFA and U2F extensively and no where have I been limited to a 4-6 digit pin and an OTP, nor have I had as much of a headache trying to implement it. Typically its quite an easy process that takes only a few seconds.

Have you stopped and considering the possibility that you may be putting more of your users at risk because your implementation just doesnt work for them and is outside the norm of what they can easily do? Or is the fundamental right of security only supposed to be for the elite?

As for the pin. A 4-6 digit pin versus a string of longer characters is not more secure. Its not. No. It just isnt. Really. Not under any standard. If you feel that it is, I would strongly suggest you write a technical white paper and submit it to SANS for community review. The OTP that follows is simply an additional layer of protection provided by entropy or a physical token that the bad guys arent going to have access to.

Regarding application access, and access via means other than the website. You guys are not the only ones who offer IMAP or SMTP access. As others have said, this is what app specific passwords and modern authentication are for. With your current setup, users are forced to utilize their primary account password within their e-mail client. You're worried about password hijacking, but you're backing your users into a corner by doing this and giving the bad guys a password that is not tied to a specific system or application, but the master password that can be used for anything, including your website, which if accessed, would allow for a full account take over.

photo
1

Mr. Heinlein might be victim of a optics problem. Maybe we are used to a form of security theater which provides a sense of security even though it in reality not as secure as we think it is.

That being said: I don't think it is wise to sidetrack a community of confusion and frustration around the whole OTP/MFA topic.

I would really much like to be educated why the current Mailbox.org OTP config is as secure or more secure as outlook.com's or protonmail.com's or tutanota.com's security. I appreciate Mr. Heinlein's dedication to principles and security, I just cannot find the 'why' or 'how so' behind the reasoning. If you can elaborate, a video or podcast would be nice or a blog article.

----

After using Mailbox.org service for a few years ish and not seeing a significant change in the OTP topic here I feel getting a bit fatigued by it.

And to take a step back: my best experience is not typing in an OTP number or pressing a yubikey. It is FaceID or pressing [Approve] on my phone.

photo
1

I would greatly prefer a two-step solution like what other providers offer (password then OTP), but maybe due to my lack of technical know-how, the solution proposed by Mailbox is more secure and works better with their offerings than a two-step solution.

In that case, I concur with the others, that using an alphanumeric password of our choice + OTP appended as the new login sounds like a much better and secure solution than relying on a 4-digit PIN. At the very least, this should be an option.

What I don't get is if users use IMAP with 2FA enabled, I'm guessing IMAP uses their actual account password. In that case, how is this solution more secure exactly?

photo
2

From a different angle, I would like to see FIDO or FIDO2 UAF being implemented, as an extra ption for two factor authentication. This allows users to use a generic security key (which only supports FIDO or FIDO2, but not OTP)

photo
2

I gives me so many troubles, because I'm using a password manager and with this 2FA I can't even use it. On every other website my password manager fills login and password, after that I manually enter TOTP and that's it. Here at mailbox.org I'm forced to only use password. because of the 2FA the password constantly changes.

photo
1

Was about to give up on 2FA but after spending more than an hour... eventually got it working.

Hopefully I will now be able to recall this very contrarian login process when I need it again.

Will continue using mailbox.org but won’t be able to recommend it to less tech savvy users.

There’s a balance to be struck between security and general usability.

photo
3

I just migrated to this email provider (after testing a dozen of others first) and I was very satisfied with everything. Until I decided to enable 2FA... Now I'm simply thinking about looking for another provider.


As a user has mentioned here previously, this is so counter-intuitive and annoying to use that I'm pretty sure it forces the vast majority of users to turn off 2FA which is *undoubtedly* less secure.


There's no way I'm going to use this even if you managed to convince me it's more secure (which I doubt) simply because it is UNUSABLE as it has been mentioned here multiple times.


So my options are either I stay here and completely disable 2FA which would make me totally nervous or I am simply looking for an email provider that cares to provide users with a 2FA method that they are willing to use.

photo
2

I would tend to agree with @1201676. Is mailbox.org reconsidering their position?

photo
1

The PIN is not a 4 digit PIN (anymore).

The PIN may contain uppercase and lowercase letters as well as numbers, but not any special characters.

photo
2

I've read the thread twice and checked the 2FA knowledgebase article.

Am I right to say that mailbox.org implemented an OTP solution primarily to allow users to log in safely on devices they don't trust?

And most of the users in this thread want 2FA so their account can't be accessed using only the password if that password is compromised.

In my use case, all my logins are on devices that I trust. But to get the increased security I want I'm being told I need to adopt mailbox.org's more-secure-but-non-standard 2FA login.

Is that a fair summary?


It's not a huge inconvenience to learn to log in that way. But it's frustrating not to be able to make an informed choice to between your 2FA implementation and the standard one. And I wasted far too much time understanding the issue and writing this comment.

photo
2

I'm also a bit concerned about it, because all the major players in IT have implemented a standard 2FA, which is quite convenient for me. The current realisation of a 2FA in mailbox.org is frustrating.

photo
1

This actually made me reconsider switching to mailbox.org. Never seen a provider that basically makes you replace your password with a 4 digit pin when you enable 2fa.

Essentially the login is now 4 static digits and 6 digits that change every 30 seconds

photo
1

The normal threat model for TOTP is phishing, and this requires people to set a PIN in addition to their IMAP-Password.


Convenience /= security.


If other email providers have implemented this in another way, it doesnt mean it provides additional security.

photo
1

Thanks @badmin.

So do I have this right:

1. With a "standard" TOTP implementation the user gets phished and inputs their username and IMAP password on screen A and their TOTP on screen B. The bad guys have the username and IMAP password plus TOTP that's valid for 30 seconds.

2. With mailbox.org's "non-standard" TOTP implementation the user gets phished and inputs their username and a password of 4 static digits plus 6 digits from their TOTP on screen A. The bad guys have the username and static 4 digits plus TOTP that's valid for 30 seconds.


In both cases if they can authenticate fast enough they can get into the account once?


What am I not seeing that makes one scenario more secure than the other?

photo
1

Thanks @ethan.


So what I understand from the linked thread is:

even if I enable TOTP-based 2FA on mailbox.org (and most non-Google email service providers), if my password is compromised a bad guy can access my emails via IMAP without needing a TOTP.


And mailbox.org's solution to this is, if you choose to enable 2FA, to force you not to use your password (which can be used with IMAP) but to use the static digits plus TOTP digits (which can never be used with IMAP).


They could really do with someone who has English as a first language to explain this on the knowledge base.


There is logic behind their decisions but having to go to forum threads full of confused and [mildly] angry customers to understand it isn't a good look.

photo
2

Still there is a better solution. Allow access via IMAP only with a generated in mailbox.org password, which is called "Password for an external app", which is not the same as an account password, so that Master Password (account password) != Password for an external app. 1 IMAP/SMTP connection - 1 random password for Thunderbird/Outlook/The Bat and other. Even if scammers would be able to retrive the "Password for an external app", it won't be the account password and they won't be able to access the mailbox.org account and settings. In the abovementioned discussion it's called an API-Password.


With this method security would be intact and mailbox.org could switch to a normal universal 2FA scheme.

photo
2

exactly this, as many other mailing organisations, including apple or google, are doing...

photo
1

Setting unique passwords for external applications does also allow mailbox.org to link accounts to specific applications and devices (reducing privacy)

photo
1

And what can they do with that information? Mailbox already knows our IPs, our browser's characteristics and what mail clients do we use. Moreover, privacy-oriented users are already clients of Protonmail, Posteo and other services. We, as a target audience of the Mailbox.org, can demand our needs and wants to be satisfied fully with a proper 2FA scheme.

photo
1

@9504216 you got it right. If access via imap is possible, one can also reset the password and take over the account.

@David they won't allow this because they wouldn't be able to use it properly with LDAP (read this in the german forum). It would lead to the situation that every server involved could "read" the user's password.

photo
photo
3

2 years later and Mailbox.org spends more time building a video app because it's fun instead of listening to what its users want. :\

photo
1

There is a detailed explanation about not having FIDO" being implemented am mailbox.org from Peer Heinlein in the (german) kuketz forum: https://forum.kuketz-blog.de/viewtopic.php?t=9257

I think it might be a good idea to read his statement as it was very interesting to me.


btw - personally I think the development of the new video conferencing system is a really great thing and I'm looking forward to use it. Just my opinion...

photo
1

Removed my duplicate comment

photo
photo
1

For 2FA or SSO I suggest considering either https://lemonldap-ng.org or https://www.keycloak.org


Both products above have strong security and strong privacy. Because they are open source :) My favorite is LemonLDAP-NG. Because, legally speaking, LemonLDAP-NG is owned and controlled by both you and a not-for-profit community. In comparison, Keycloak is, legally speaking, indirectly owned and controlled by the for-profit IBM.


Screenshot, summary, and details at https://userforum-en.mailbox.org/topic/1427-2fa-with-lemonldap-ng-or-keycloak

photo
2

I vote +1 and 25 for my co-workers

it is a funny thing that mailbox.org wants to serve an alternative to the usual suspects bigger office account providers and still did not implement 2FA, even when the times state that its as mandatory as TLS in web browsers. I hope mailbox.org will put this on the HIGHEST priority and if costs money, then what the heck, it is about security... imagine one day your customers got hacked, you will have to pay much more for the hacked accounts than for the 2FA implementation...


as this thread was linked by another thread, please search on YOUR OWN website/forum for 2FA and add all proposals/votes to this thread, I bet we reach 200 and more already... the issue is that there are several threads about this topic and that is why mailbox org does not see the customer impact that this function would have.


Last a funny story: Even the state of Hungary was able to implement 2FA for their customer gate and a German Private Company is not able to do so... I would judge as a stoopid watcher without background knowledge that mailbox.org is not professional at all.

Thank you for raising the priority on this implementation and I am sure we could count with it in the 2nd half of 2022

photo
2

mailbox.org did implement 2FA, I am using it and it works well. I don't even have to open my password manager.

photo
1

pictures show more than words, I already opened a technical customer support ticket, lets see if they work today

photo
1

Hello,

we are aware that this feature is very important for our customers and for the safety of our customers. Right now we are offering 2FA for private customers. We are already working on a solution for our business customers with Keycloak, but it will take some more time until we can implement it.

All the best from your

mailbox.org team

photo
1

Lets be more honest and say "we are offering a really janky 2FA solution that only fits into the workflow of nerds and is not useful for the average consumer relative to what our competitors have offered for several years now and we don't have the resources to update this properly because we hitched our wagon to OX which moves at the speed of a slug."

photo
1

That's harsh, but true. I don't know how close mailbox is to the OX team but knowing where OX the features are going would be a great +. Right now it's very opaque.

photo
1

I do not see yet any progress in 16 days, did someone work on this task already? could we please get a status update?

photo
1

Bro this issue has been open for 3 years, it sucks but they really don't care, or they care and they can't do it. Either way if it's a mamdatory requirement you should try to find a different vendor with this feature. Open-Xchange usually only does a major software update once a year and it takes Mailbox a few months of QA/UAT to implement it. I predict this will be done in 2024 at the earliest.

photo
1

Hello,

we (the users) are aware that this feature is NOT important for mailbox.org and the safety and security of business customers is NOT important for mailbox.org, too. For 3 years mailbox.org is offering 2FA already for private customers, so mailbox.org seems to be a B2C company only. Business customers could continue waiting for the next 3 years like they needed to wait 3 years before and read always the same template answer: "We are already working on a solution for our business customers with Keycloak, but it will take some more time until we can implement it."

business users, soon leaving the paid plan due to security issues in mailbox.org

photo
1

I do not see progress in 22 days, did someone work on this task already? could we please get a status update?

photo
1

For those interested in using or contributing to 2FA for Mailbox.org Business, you are welcome to join this other discussion at https://userforum-en.mailbox.org/topic/1556-2fa-for-business

For those not familiar with Mailbox.org two types of accounts. Which are Private and Business. Mailbox.org has offered 2FA for Private account for a while. The documentation for Mailbox.org 2FA for Private is at https://kb.mailbox.org/en/private/account-article/how-to-use-two-factor-authentication-2fa

As for Mailbox.org Business, as of now May 2023, Mailbox.org does not yet offer 2FA. But they expressed their interest in offering 2FA. Details are in this January 19th, 2023 comment by Mailbox.org staff at https://userforum-en.mailbox.org/topic/1556-2fa-for-business#comment-2652

photo
photo
2

Business has less Security than private people, I like that attitude, but please, maybe do not ask for a payment from business customers, okay? The impact of a hacked business customer could get mailbox.org bankrupt in 1 day - oh and please could mailbox.org add a timeline for the implementation? I heard that from my bank, we are working on that, and three years later the same template answer was given, so please be a little bit more open.

photo
1

I concur with the implementation timeline of a variety of features. It is a very comment procedure that increases transparency and trust among customers.

photo
1

I do not see progress in 16 days, did someone work on this task already? could we please get a status update?

photo
photo
2

So is something gonna happen? It slowly turns into a joke ...

photo
2

I agree, but paying customers are ignored by mailbox.org, especially if they are business customers, they produced this for private people who have the benefit of 2FA for 2 years already

photo
photo
7

As a new user in the paid standard plan I have to agree to the point that I find the 2FA implementation awkward. I'd also prefer a formal logon with username and complex password + OTP. Also, I think a security focussed provider should support FIDO U2F and FIDO2/WebAuthn as well. In addition I fully support he request to Mailbox.org to be Mord responsive and at least provide a rough timeline and a status.

photo
1

My last business email service was hacked and was held for ransom. I wanted to find a provider that was more private and more secure. I tried MANY MANY trials, and I fell in love with mailbox.org personal setup.


I signed up for a business account today, now I can't turn on 2FA on either the business admin side or the individual emails???


This is a huge deal, huge. The pin is not so much of a deal for me as we all use hardware tokens, but there isn't anything for business services! This will probably force me somewhere else, I can not leave that huge security hole open.

photo
4

Peer, the CEO, is too busy drinking champagne with Open-Xchange, the company that builds the software Mailbox uses that isn't implementing 2FA, to care about the users of this service. Literally drinking champagne with them:


https://twitter.com/openxchange/status/1582655525111664641?s=20&t=9OuddV6yp89cSB8A4tTthw


EU Digital Sovereignty money is too much of a cash cow to worry about making the product more competitive (or barely up to standard) with the market. Seems to be a pattern with European software. Wait till your retinas burn in because it's 2023 and there's still no dark mode. You'll be regretting setting anything up with this mid-2000s email service.

photo
photo
1

Seems like somethings happening, without any result so far: https://userforum-en.mailbox.org/topic/1556-2fa-for-business

Can't wait for this to happen.

Leave a Comment
 
Attach a file