Welcome to the mailbox.org user forum!
 

2FA for Business

Marco.heinemann@useblocks.com shared this idea 23 months ago
Proposed

HI,

it looks like mailbox.org does not support 2FA / MFA for business. At least there are no options in setup.mailbox.org or in the user mailbox settings.


If that's true, when will this be available? It's pretty much a deciding factor for me.

In that regard, it would also be quite relevant to support app specific passwords for caldav/carddav/imap clients.


Thanks, Marco

Replies (7)

photo
3

Thank you very much for your inquiry. The integration of 2FA for our private customers has been an integral part of our services for several years.


Since additional security is equally vital for our business customers, we are going a step further and would like to make use of the latest technologies and additional layers of security in the near future.

Your mailbox.org team


We are already working on this feature. Unfortunately I can't give you a fixed date for the implementation as of right now.

photo
2

Are you working on 2FA AND app specific passwords as mentioned what Marco asks.

Or do you only mean 2FA? Really looking forward to app-specific passwords within mailbox.org

photo
photo
1

For Two-Factor authentication (2FA) for Mailbox.org Business, for Mailbox.org review, and decision, I suggest considering those three:
https://lemonldap-ng.org
https://www.shibboleth.net
https://www.keycloak.org
--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---

Below is the same suggestion as above. But with details if you're interested in those.

All 3 products listed above have strong security and strong privacy. Because they are open source :) My favorite is LemonLDAP-NG. Because, legally speaking, LemonLDAP-NG is owned and controlled by both you and a not-for-profit community. In comparison, Keycloak is, legally speaking, indirectly owned and controlled by the for-profit IBM. Shibboleth is my second favorite.
--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---

About LemonLDAP-NG

ae5bd7b7034851491900fb0c3df0cf09

Strength:
• LemonLDAP-NG is use as 2FA and MFA by many organizations. One high profile example is the "Document Foundation". Which facilitate the growth of the very popular LibreOffice. You can try LemonLDAP-NG for free at https://auth.documentfoundation.org
• Won OW2 awards:
___• OW2con'14 Community Award
___• OW2con'18 Community Award
• No license fees
• Optional Docker for faster and easier installation at https://github.com/LemonLDAPNG/lemonldap-ng-docker
• Free community support at https://lemonldap-ng.org/contact.html
• Libre Source (Open Source). If you are not familiar with "Libre Source", it means this software has both stronger security & stronger privacy. Because its code is publicly available for review and contributions at https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng or at https://github.com/LemonLDAPNG/lemonldap-ng
• Attractive GNU General Public License version 2. This means the software code of this extension is owned and supported by a friendly not-for-profit community. Instead of a for-profit corporation. https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/v2.0/LICENSE
• The main strength of LemonLDAP-NG it that it is owned by a friendly not-for-profit community. Not by a for-profit corporation. Legally speaking, this means that LemonLDAP-NG is directly CONTROLLED by both YOU and its friendly community. Also, not-for profit organization are more likely to value people above money. In comparison, most other Two-Factor Authentication options are owned and controlled by a for-profit organization. Which risk to value money above people.
___• Source about LemonLDAP-NG owned by a friendly not-for-profit community:
______• https://lemonldap-ng.org/team.html
____________• https://archive.ph/7B9Sd
• Easier user interface. With lots of features.
• Many additional features to 2FA and MFA. Such as, but not limited to:
___• SSO
___• OpenID Connect
___• CAS
___• SAML
• User interface adapted for System Administrators
• France Connect certified
• FusionIAM project member

Show Your Support:
• If you enjoy this application, show your support to the authors & contributors with:
___• Join mailing list at https://lemonldap-ng.org/contact.html
___• Contribute to documentation at https://lemonldap-ng.org/documentation/latest/
___• Patch at https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng

Note:

• Docker container repository at https://github.com/LemonLDAPNG/lemonldap-ng-docker
• Screenshots at https://lemonldap-ng.org/screenshots
• Download at https://lemonldap-ng.org/download
• Homepage at https://lemonldap-ng.org
• Support and social media at https://lemonldap-ng.org/contact.html
• Comparison between LemonLDAP-NG and Keycloak. Available in French only at:
___• https://www.worteks.com/assets/support-conference/2022/Presentation-OpensourceExperience-2022-Keycloak-vs-LemonLDAP.pdf
___• https://web.archive.org/web/20230504010955/https://www.worteks.com/assets/support-conference/2022/Presentation-OpensourceExperience-2022-Keycloak-vs-LemonLDAP.pdf

More screenshots of LemonLDAP-NG

b695e5c47b69b4cbb578e4bef10dde6a

5b5d63f0248372ff0085a1f2854cc65d
--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---

If needed, both me and the Ubertus.org team would be happy to contribute testing and documentation for 2FA. Whatever which option Mailbox.org chooses.

photo
4

Hello all two-factor authentication enthusiasts :)

We received this status update from the Mailbox.org team on May 5th, 2023: "As to 2FA for business customers we are currently working on an implementation with Keycloak"

--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---

Below is the same message as above. But with details if you're interested in those.

They do not have an estimated time of delivery (ETA)

For those not familiar with Keycloak, it is "an open source software product to allow single sign-on with identity and access management aimed at modern applications and services."

763?token=52e41da97732e83d57bd9614388d41a1

Website https://www.keycloak.org

Video with screenshot https://www.youtube.com/watch?v=RzxzY1dluvo

Video backend https://www.youtube.com/watch?v=K7mjE58hl4I

Video French https://www.youtube.com/watch?v=AxYKRBT9JDw

Source repository https://github.com/keycloak/keycloak

Wikipedia article https://en.wikipedia.org/wiki/Keycloak

photo
4

Thanks for the update Francewho!

photo
2

I'd appreciate a status report by mailbox.org with an ETA for 2FA/MFA and app passwords.
As a long term customer of mailbox.org, I bring quite same patience to the table.

I had a ticket open in August 2021 in which I asked for MFA for business, the feedback was:

> Um eine 2FA anbieten zu können, sind einige grundsätzliche Anpassungen bei der Authentifizierung im Businessbereich notwendig. Erst danach können wir mit der eigentlichen Implementierung für den zweiten Faktor starten.

> Mit diesen Änderungen haben wir begonnen, aber es liegt noch ein weiter Weg vor uns. Aktuell rechnen wir mit einem Beginn der Umsetzung der 2FA selbst im zweiten Quartal 2022, aber eine Garantie können wir natürlich (noch) nicht geben.


I just listened to Episode 965 of Security Now. The full text as PDF can be found here. I mention this as there is a lengthy section about how the 'I forgot my password links' on all major websites of the Internet makes passwords actually optional. If you want to login, you just click the link and get a one time password via e-mail. This makes e-mail the weakest link in the authentication chain. The episode also talks about passkeys and how they compare against classic user/pw with 2FA.

I feel quite uncomfortable without 2FA on the website and without app password for IMAP mail clients.
Don't want to sound rude, however mailbox.org specifically advertises its security architecture and what it does to protect users, so I would expect this topic to get quite some management attention.

Thanks for any update and this. And don't get me wrong, I like the services that mailbox.org offers and I have a lot of trust on the server side of things. The missing state-of-the-art authentication features however put a lot of burden on the users and their password management skills and also their mail clients.

photo
1

I agree, there should be an update on this WebAuthN support, or at least Authenticator app support for the web login is becoming standard for modern services, passkey support is also gaining more and more adoption.

I‘d also like to see app passwords for IMAP.

photo
photo
1

I just checked the settings of my business account. There are app passwords. But not for imap, only caldav/carddav. But I will certainly try this out.


d1acf1f078bf8c31bab2f02a994a5e7b

Leave a Comment
 
Attach a file