Welcome to the mailbox.org user forum!
 

2FA With LemonLDAP-NG Or Keycloak

Francewhoa shared this idea 2 months ago
Proposed

Hello all Mailbox.org enthusiasts :)


This is a suggestion for the Mailbox.org (MB) team. About adding Two-Factor Authentification (2FA) on both those log-in pages at https://setup.mailbox.org/#/login and https://login.mailbox.org/en so that both MB and its clients benefit from stronger security, increase MB income, reduce MB operating cost.


The challenge is that, for Business account clients, the 2FA is presently not available at neither https://setup.mailbox.org/#/login nor at https://login.mailbox.org/en In comparison, Private clients can activate 2FA at https://login.mailbox.org/en


To resolve this challenge, for MB review for interest and decision, I suggest to concider using either https://lemonldap-ng.org or https://www.keycloak.org


Both products above have strong security and strong privacy. Because they are open source :) My favorite is LemonLDAP-NG. Because, legally speaking, LemonLDAP-NG is owned and controlled by both you and a not-for-profit community. In comparison, Keycloak is, legally speaking, indirectly owned and controlled by the for-profit IBM.

Screenshot LemonLDAP-NG

0e87313678708ee340791a3fd6ec2370--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---


Below is the same suggestion as above. But with details if you're interested in those.


User Story.

As a client of MB, I need a Two-Factor Authentification (TFA) on both those log-in pages at https://setup.mailbox.org/#/login and https://login.mailbox.org/en so that I benefit from:


Stronger Security.

Stronger protection against brute force attack https://en.wikipedia.org/wiki/Brute-force_attack Stronger security because as TFA are constantly changed, dynamically generated passcodes are safer to use than fixed (static) log-in information. Also depending on the solution, passcodes that have been used are automatically replaced in order to ensure that a valid code is always available, transmission/reception problems do not therefore prevent logins.


Increase MB Income.

Most of both my clients & my insurance companies require a TFA to do business with them. This is often included in contracts between us. In other words, to be illegible to do business most of them require TFA on all servers. In turn, the MB's product would be more attractive. In turn, the MB's income could potentially increase. Also most of MB competitors, such as Amazon and Microsoft already have TFA on most of their log-in forms.


Reduce MB Operating Cost.

Like most hosting companies, I guess that MB has a significant cost dealing with costumer's requests about intrusion. The TFA could significantly reduce those intrusions. In turn, MB would reduce its operating cost.


--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---


Assumptions


• Assumes that this screenshot shows an example of a successfully implemented TFA powered by the free and open source LemonLDAP-NG at https://i.postimg.cc/85tDYxr2/Lemon-LDAP-NG-English-Screenshot-2022-04-12-at-10-53-39-Authentication-portal.png

• Assumes that by Two-Factor Authentication (TFA) we mean this https://en.wikipedia.org/wiki/Multi-factor_authentication

• Assumes that synonyms of TFA are:

___• Authentification en deux étapes

___• Multi-Factor Authentication

___• Two-Factor Authentication (TFA)

___• Vérification en deux étapes

• Assumes that the TFA would allow using a mobile App. Such as:

___• FreeOTP+ at https://play.google.com/store/apps/details?id=org.liberty.android.freeotpplus&hl=en_US&gl=US

___• FreeOTP at https://freeotp.github.io/

• Assumes that optional backup codes would be available. So that when somehow the user lost their phone, he/she is still able to log-in


--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---


Suggested Resolution


Free really free to choose any TFA option to your liking. The Ubertus team suggestion to concider the following options. Which are all secure & safe. For OpenStack Horizon Keystone version 3+.


Option 1 of 2 : LemonLDAP-NG


• Free & open source software. This means stronger security & stronger privacy. Because the software code is fully available for all to review and or contribute to https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng

• Cost reduction for MB. Because no license fees to pay to LemonLDAP-NG.

• The main strenght of LemonLDAP-NG it that it is owned by a friendly not-for-profit community. Not by a for-profit corporation. Legally speaking, this means that LemonLDAP-NG is directly CONTROLLED by both YOU and its friendly community.

___• Source about LemonLDAP-NG owned by a friendly not-for-profit community:

______• https://lemonldap-ng.org/team.html

____________• https://archive.ph/7B9Sd

• Docker container repository at https://github.com/LemonLDAPNG/lemonldap-ng-docker

• Screenshots at https://lemonldap-ng.org/screenshots

• LemonLDAP-NG is use by many organizations. One example is the "Document Foundation". Which facilitate the growth of LibreOffice. You can try LemonLDAP-NG for free at https://auth.documentfoundation.org

• Download at https://lemonldap-ng.org/download

• Homepage at https://lemonldap-ng.org


Option 2 of 2 : Keycloak

• Free & open source software. This means stronger security & stronger privacy. Because the software code is fully available for all to review and or contribute to https://github.com/keycloak/keycloak

• Cost reduction for MB. Because no license fees to pay to Keycloak.

• The main challenge with Keycloak is that it is owned by RedHat. In turn, RedHat is owned by IBM. And IBM is a for-profit corporation. Legally speaking, this means that Keycloak is indirectly (proxy) CONTROLLED by IBM.

___• Source about RedHat owned by the for-profit IBM since 2018:

______• https://www.itworldcanada.com/article/ibm-acquires-red-had-in-largest-software-acquisition-ever-for-34-billion-analysis/410878

____________• https://archive.ph/smFLy

• Docker container repository at https://www.keycloak.org/getting-started/getting-started-docker

• Documentation at https://www.keycloak.org/documentation

• Download at https://www.keycloak.org/downloads

• Homepage at https://www.keycloak.org

• According to Andreas' message from April 12th, 2022, the MB team is presently in progress of developing a solution based on Keycloak

--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---


Contribution


If needed, both me and the Ubertus team would be happy to contribute testing & documentation


--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---


You're welcome to ask me if you have questions about any of the above


Cheers,


Francois Carpentier (Francewhoa)


Senior Product Manager, and Co-Founder at https://ubertus.org

Comments (1)

photo
2

Wow, you really have some great ideas! I know that mailbox.org is currently working on implementing Keycloak especially for their business clients, but they could not tell me when it will be ready. Maybe someone else in this forum has any ideas or knows a little bit more. I imagine that it is fairly complex on a bigger setup like mailbox.org's.

photo
1

Hello @7610926 :) Thanks for your comment


I can confirm that both learning & implementing any 2FT and or SSO is a lot of work. Including LemonLDAP-NG, Keycloak, or similar. It is worth it, though. Unfortunately, there is no button on the keyboard that can be press to magically Implement 2FT or SSO (joke ;)


At Ubertus.org both me and the team implemented a lot of those for our clients. They love it. It pays for itself on the mid to long term. Because their product & services are more attractive. In turn, they saw a significant increase in their income.


Also, on the long term, Google, IBM, or Microsoft's business model, are not able to compete with their competitors using open source LemonLDAP-NG or Keycloak strong security and strong privacy.

As for when Keycloak will be Implemented at Mailbox.org, speaking for myself, I will not interfer with them by telling them when they should implement it. Instead, I will patiently wait for them to annonce a date when they are ready. As pressuring them would not help, but risk to slow things down. What I can do to potentially speed up things is to offer them, as volunteer, to contribute privately, by testing their Keycloak. If this is of interest to them.


I wish that the Mailbox.org team's implementation of Keycloak goes to their liking :) I look forward to trying it.

photo
Leave a Comment
 
Attach a file