Welcome to the mailbox.org user forum!
2FA for Business
Proposed
HI,
it looks like mailbox.org does not support 2FA / MFA for business. At least there are no options in setup.mailbox.org or in the user mailbox settings.
If that's true, when will this be available? It's pretty much a deciding factor for me.
In that regard, it would also be quite relevant to support app specific passwords for caldav/carddav/imap clients.
Thanks, Marco
I like this idea 
No connection
Real-time notifications may not work
Thank you very much for your inquiry. The integration of 2FA for our private customers has been an integral part of our services for several years.
Since additional security is equally vital for our business customers, we are going a step further and would like to make use of the latest technologies and additional layers of security in the near future.
Your mailbox.org team
We are already working on this feature. Unfortunately I can't give you a fixed date for the implementation as of right now.
Thank you very much for your inquiry. The integration of 2FA for our private customers has been an integral part of our services for several years.
Since additional security is equally vital for our business customers, we are going a step further and would like to make use of the latest technologies and additional layers of security in the near future.
Your mailbox.org team
We are already working on this feature. Unfortunately I can't give you a fixed date for the implementation as of right now.
Related discussions at:
https://userforum-en.mailbox.org/topic/1427-2fa-with-lemonldap-ng-or-keycloak
https://userforum-en.mailbox.org/topic/lets-talk-about-2fa-on-this-website-again
Related discussions at:
https://userforum-en.mailbox.org/topic/1427-2fa-with-lemonldap-ng-or-keycloak
https://userforum-en.mailbox.org/topic/lets-talk-about-2fa-on-this-website-again
For Two-Factor authentication (2FA) for Mailbox.org Business, for Mailbox.org review, and decision, I suggest considering those three:
• https://lemonldap-ng.org
• https://www.shibboleth.net
• https://www.keycloak.org
--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
Below is the same suggestion as above. But with details if you're interested in those.
All 3 products listed above have strong security and strong privacy. Because they are open source :) My favorite is LemonLDAP-NG. Because, legally speaking, LemonLDAP-NG is owned and controlled by both you and a not-for-profit community. In comparison, Keycloak is, legally speaking, indirectly owned and controlled by the for-profit IBM. Shibboleth is my second favorite.
--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
About LemonLDAP-NG
Strength:
• LemonLDAP-NG is use as 2FA and MFA by many organizations. One high profile example is the "Document Foundation". Which facilitate the growth of the very popular LibreOffice. You can try LemonLDAP-NG for free at https://auth.documentfoundation.org
• Won OW2 awards:
___• OW2con'14 Community Award
___• OW2con'18 Community Award
• No license fees
• Optional Docker for faster and easier installation at https://github.com/LemonLDAPNG/lemonldap-ng-docker
• Free community support at https://lemonldap-ng.org/contact.html
• Libre Source (Open Source). If you are not familiar with "Libre Source", it means this software has both stronger security & stronger privacy. Because its code is publicly available for review and contributions at https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng or at https://github.com/LemonLDAPNG/lemonldap-ng
• Attractive GNU General Public License version 2. This means the software code of this extension is owned and supported by a friendly not-for-profit community. Instead of a for-profit corporation. https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/v2.0/LICENSE
• The main strength of LemonLDAP-NG it that it is owned by a friendly not-for-profit community. Not by a for-profit corporation. Legally speaking, this means that LemonLDAP-NG is directly CONTROLLED by both YOU and its friendly community. Also, not-for profit organization are more likely to value people above money. In comparison, most other Two-Factor Authentication options are owned and controlled by a for-profit organization. Which risk to value money above people.
___• Source about LemonLDAP-NG owned by a friendly not-for-profit community:
______• https://lemonldap-ng.org/team.html
____________• https://archive.ph/7B9Sd
• Easier user interface. With lots of features.
• Many additional features to 2FA and MFA. Such as, but not limited to:
___• SSO
___• OpenID Connect
___• CAS
___• SAML
• User interface adapted for System Administrators
• France Connect certified
• FusionIAM project member
Show Your Support:
• If you enjoy this application, show your support to the authors & contributors with:
___• Join mailing list at https://lemonldap-ng.org/contact.html
___• Contribute to documentation at https://lemonldap-ng.org/documentation/latest/
___• Patch at https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
Note:
• Docker container repository at https://github.com/LemonLDAPNG/lemonldap-ng-docker
• Screenshots at https://lemonldap-ng.org/screenshots
• Download at https://lemonldap-ng.org/download
• Homepage at https://lemonldap-ng.org
• Support and social media at https://lemonldap-ng.org/contact.html
• Comparison between LemonLDAP-NG and Keycloak. Available in French only at:
___• https://www.worteks.com/assets/support-conference/2022/Presentation-OpensourceExperience-2022-Keycloak-vs-LemonLDAP.pdf
___• https://web.archive.org/web/20230504010955/https://www.worteks.com/assets/support-conference/2022/Presentation-OpensourceExperience-2022-Keycloak-vs-LemonLDAP.pdf
More screenshots of LemonLDAP-NG
--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
If needed, both me and the Ubertus.org team would be happy to contribute testing and documentation for 2FA. Whatever which option Mailbox.org chooses.
For Two-Factor authentication (2FA) for Mailbox.org Business, for Mailbox.org review, and decision, I suggest considering those three:
• https://lemonldap-ng.org
• https://www.shibboleth.net
• https://www.keycloak.org
--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
Below is the same suggestion as above. But with details if you're interested in those.
All 3 products listed above have strong security and strong privacy. Because they are open source :) My favorite is LemonLDAP-NG. Because, legally speaking, LemonLDAP-NG is owned and controlled by both you and a not-for-profit community. In comparison, Keycloak is, legally speaking, indirectly owned and controlled by the for-profit IBM. Shibboleth is my second favorite.
--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
About LemonLDAP-NG
Strength:
• LemonLDAP-NG is use as 2FA and MFA by many organizations. One high profile example is the "Document Foundation". Which facilitate the growth of the very popular LibreOffice. You can try LemonLDAP-NG for free at https://auth.documentfoundation.org
• Won OW2 awards:
___• OW2con'14 Community Award
___• OW2con'18 Community Award
• No license fees
• Optional Docker for faster and easier installation at https://github.com/LemonLDAPNG/lemonldap-ng-docker
• Free community support at https://lemonldap-ng.org/contact.html
• Libre Source (Open Source). If you are not familiar with "Libre Source", it means this software has both stronger security & stronger privacy. Because its code is publicly available for review and contributions at https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng or at https://github.com/LemonLDAPNG/lemonldap-ng
• Attractive GNU General Public License version 2. This means the software code of this extension is owned and supported by a friendly not-for-profit community. Instead of a for-profit corporation. https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/v2.0/LICENSE
• The main strength of LemonLDAP-NG it that it is owned by a friendly not-for-profit community. Not by a for-profit corporation. Legally speaking, this means that LemonLDAP-NG is directly CONTROLLED by both YOU and its friendly community. Also, not-for profit organization are more likely to value people above money. In comparison, most other Two-Factor Authentication options are owned and controlled by a for-profit organization. Which risk to value money above people.
___• Source about LemonLDAP-NG owned by a friendly not-for-profit community:
______• https://lemonldap-ng.org/team.html
____________• https://archive.ph/7B9Sd
• Easier user interface. With lots of features.
• Many additional features to 2FA and MFA. Such as, but not limited to:
___• SSO
___• OpenID Connect
___• CAS
___• SAML
• User interface adapted for System Administrators
• France Connect certified
• FusionIAM project member
Show Your Support:
• If you enjoy this application, show your support to the authors & contributors with:
___• Join mailing list at https://lemonldap-ng.org/contact.html
___• Contribute to documentation at https://lemonldap-ng.org/documentation/latest/
___• Patch at https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
Note:
• Docker container repository at https://github.com/LemonLDAPNG/lemonldap-ng-docker
• Screenshots at https://lemonldap-ng.org/screenshots
• Download at https://lemonldap-ng.org/download
• Homepage at https://lemonldap-ng.org
• Support and social media at https://lemonldap-ng.org/contact.html
• Comparison between LemonLDAP-NG and Keycloak. Available in French only at:
___• https://www.worteks.com/assets/support-conference/2022/Presentation-OpensourceExperience-2022-Keycloak-vs-LemonLDAP.pdf
___• https://web.archive.org/web/20230504010955/https://www.worteks.com/assets/support-conference/2022/Presentation-OpensourceExperience-2022-Keycloak-vs-LemonLDAP.pdf
More screenshots of LemonLDAP-NG
--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
If needed, both me and the Ubertus.org team would be happy to contribute testing and documentation for 2FA. Whatever which option Mailbox.org chooses.
Hello all two-factor authentication enthusiasts :)
We received this status update from the Mailbox.org team on May 5th, 2023: "As to 2FA for business customers we are currently working on an implementation with Keycloak"
--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
Below is the same message as above. But with details if you're interested in those.
They do not have an estimated time of delivery (ETA)
For those not familiar with Keycloak, it is "an open source software product to allow single sign-on with identity and access management aimed at modern applications and services."
Website https://www.keycloak.org
Video with screenshot https://www.youtube.com/watch?v=RzxzY1dluvo
Video backend https://www.youtube.com/watch?v=K7mjE58hl4I
Video French https://www.youtube.com/watch?v=AxYKRBT9JDw
Source repository https://github.com/keycloak/keycloak
Wikipedia article https://en.wikipedia.org/wiki/Keycloak
Hello all two-factor authentication enthusiasts :)
We received this status update from the Mailbox.org team on May 5th, 2023: "As to 2FA for business customers we are currently working on an implementation with Keycloak"
--- --- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
Below is the same message as above. But with details if you're interested in those.
They do not have an estimated time of delivery (ETA)
For those not familiar with Keycloak, it is "an open source software product to allow single sign-on with identity and access management aimed at modern applications and services."
Website https://www.keycloak.org
Video with screenshot https://www.youtube.com/watch?v=RzxzY1dluvo
Video backend https://www.youtube.com/watch?v=K7mjE58hl4I
Video French https://www.youtube.com/watch?v=AxYKRBT9JDw
Source repository https://github.com/keycloak/keycloak
Wikipedia article https://en.wikipedia.org/wiki/Keycloak
Thanks for the update Francewho!
Thanks for the update Francewho!
I'd appreciate a status report by mailbox.org with an ETA for 2FA/MFA and app passwords.
As a long term customer of mailbox.org, I bring quite same patience to the table.
I had a ticket open in August 2021 in which I asked for MFA for business, the feedback was:
> Um eine 2FA anbieten zu können, sind einige grundsätzliche Anpassungen bei der Authentifizierung im Businessbereich notwendig. Erst danach können wir mit der eigentlichen Implementierung für den zweiten Faktor starten.
> Mit diesen Änderungen haben wir begonnen, aber es liegt noch ein weiter Weg vor uns. Aktuell rechnen wir mit einem Beginn der Umsetzung der 2FA selbst im zweiten Quartal 2022, aber eine Garantie können wir natürlich (noch) nicht geben.
I just listened to Episode 965 of Security Now. The full text as PDF can be found here. I mention this as there is a lengthy section about how the 'I forgot my password links' on all major websites of the Internet makes passwords actually optional. If you want to login, you just click the link and get a one time password via e-mail. This makes e-mail the weakest link in the authentication chain. The episode also talks about passkeys and how they compare against classic user/pw with 2FA.
I feel quite uncomfortable without 2FA on the website and without app password for IMAP mail clients.
Don't want to sound rude, however mailbox.org specifically advertises its security architecture and what it does to protect users, so I would expect this topic to get quite some management attention.
Thanks for any update and this. And don't get me wrong, I like the services that mailbox.org offers and I have a lot of trust on the server side of things. The missing state-of-the-art authentication features however put a lot of burden on the users and their password management skills and also their mail clients.
I'd appreciate a status report by mailbox.org with an ETA for 2FA/MFA and app passwords.
As a long term customer of mailbox.org, I bring quite same patience to the table.
I had a ticket open in August 2021 in which I asked for MFA for business, the feedback was:
> Um eine 2FA anbieten zu können, sind einige grundsätzliche Anpassungen bei der Authentifizierung im Businessbereich notwendig. Erst danach können wir mit der eigentlichen Implementierung für den zweiten Faktor starten.
> Mit diesen Änderungen haben wir begonnen, aber es liegt noch ein weiter Weg vor uns. Aktuell rechnen wir mit einem Beginn der Umsetzung der 2FA selbst im zweiten Quartal 2022, aber eine Garantie können wir natürlich (noch) nicht geben.
I just listened to Episode 965 of Security Now. The full text as PDF can be found here. I mention this as there is a lengthy section about how the 'I forgot my password links' on all major websites of the Internet makes passwords actually optional. If you want to login, you just click the link and get a one time password via e-mail. This makes e-mail the weakest link in the authentication chain. The episode also talks about passkeys and how they compare against classic user/pw with 2FA.
I feel quite uncomfortable without 2FA on the website and without app password for IMAP mail clients.
Don't want to sound rude, however mailbox.org specifically advertises its security architecture and what it does to protect users, so I would expect this topic to get quite some management attention.
Thanks for any update and this. And don't get me wrong, I like the services that mailbox.org offers and I have a lot of trust on the server side of things. The missing state-of-the-art authentication features however put a lot of burden on the users and their password management skills and also their mail clients.
I just checked the settings of my business account. There are app passwords. But not for imap, only caldav/carddav. But I will certainly try this out.
I just checked the settings of my business account. There are app passwords. But not for imap, only caldav/carddav. But I will certainly try this out.
Replies have been locked on this page!