Welcome to the mailbox.org user forum!
 

2fa non existant for imap clients, only for webmail advertised otherwise

2924964 shared this idea 7 months ago
Proposed

Hi,

I like mailbox for plenty of things but I don't understand why this situation is taken so lightly :

There is no 2fa for imap, only for webmail.

Anybody with your mailbox.org password can steal your data from any mail client without you even getting a notification someone set up your account on imap with a client(I asked for this feature years ago).

https://mailbox.org/en/private-customers#e-mail-cloud-office states 2FA, it should state 2FA for webmail only, can this misleading information be changed please?

Support by email told me they are working on a feature to have individual passwords, however they are not a solution in a world where 2FA is there for any other provider.

Replies (1)

photo
2

Hi there, security is something we do not take lightly. You can limit third party access (clients, apps, etc) via our OTP setup. Just head over to "Settings (1) -> mailbox.org (2) -> One Time Passwords (3)" and when configuring the setting "OTP security level (4)", choose the third option in the drop down menu: "Web Service OTP, other services off (5)" and hit Save (6) This way, access to your data is only possible via webinterface an OTP-login.

2da58f7438246c3b4699a35397bc12f1

Best regards from your mailbox.org-Team!

photo
4

Then you cannot read mails on thunderbird or on android?

photo
4

I agree. I love mailbox, but I still think the handling of 2FA is pretty poor. Similarly, even *with* 2FA on the webui, it's not your password+2FA, it's a PIN+2FA.

photo
3

I hope they improve the 2FA functionality to make it less convoluted.

photo
2

I also agree, I like Mailbox.org but I have chosen not to use it for my more sensitive emails. One of the reasons is, setting up MFA is seems needlessly complex and not user friendly to setup or use.

Another is that it is not possible to have MFA setup for both web login and IMAP. Other services solve this by using MFA for web login and App Passwords for IMAP or OAuth for IMAP.

Lastly, it is disappointing to see you still don't support the use of the WebAuthn standard that is built into browsers and operating systems now to allow the use of Security Keys. I know you support YubiKeys, but these are quit expensive, whilst Security Keys are much more affordable and achieve much of what YubiKeys are designed for.

photo
2

I asked them to remove the misleading MFA mention months ago but they are ignoring this, if MFA is for webclient only, then mention it before anybody purchase an account. Changing/creating an email adress and updating your contact with a new email is a big job which you don't want to cancel because you learn after that a mail client is not protected with mfa when you were advertized otherwise15d446b644a0e9ebbba8f890cdc39b54

photo
2

Any update to know when at least an option to have a different password for Imap will be implemented?

photo
Leave a Comment
 
Attach a file