Why is the implementation of 2FA on this website so horrible?
So, like many others, I am very dissapointed in the implementation of 2FA on mailbox.org. Currently there are three options regarding 2FA:
Off, where there is no 2FA and the regular account password is used for all logins.
Web service OTP, other services password, where you need the OTP to login to the web service, but can use the normal account password for other services (like thunderbird)
Web service OTP, other services off, which is the same as above, except other services cannot be logged into (thunderbird etc is not usable).
All of these options are bad. Not having 2FA on IMAP services sort of defeats the point, because any potential bad actors can completely bypass 2FA by connecting via IMAP instead of the web interface. Turning these services off does solve these problems, but it's not a good soloution, and honestly extremely misleading marketing. It's sort of like selling a house where "the doors can be locked", but only the front door can actually be locked, and the soloution for the other doors and windows is to just barricade them. What if I want to look outside a window, or use the back door? (like checking my email on my phone, as there is no android app for mailbox.org)
Well, then I just have to live with the fact that anyone can open my window or back door and walk into my house.
All of this is not even considering the fact that the current implementation (PIN and OTP in the password field) is a terrible user experience and very unintuitive. I honestly think this had made multiple users refrain from using OTPs, which is the exact opposite effect of what we want.
To end this rant, I want to propose a soloution: just do what all the others are doing. Just make a normal implementation, that isn't confusing, and doesn't need a support article to understand how to log in again. Nextcloud, for example, does this very well:
Normal password and then OTP when logging in to website and supported clients, and unsupported clients can use app-specific passwords. At the very least this is as secure as the current mailbox.org implementation, and a lot more intuitive.
Please, for the love of all that is mighty, consider this. Thank you.
I like this idea 
I agree to implement what is now a "standard": password+otp and app specific password for other services.
Anyway i don't think a specific password for imap is more secure than the current implementation.
Now you have pin+otp for website and one global specific password for other services.
I agree to implement what is now a "standard": password+otp and app specific password for other services.
Anyway i don't think a specific password for imap is more secure than the current implementation.
Now you have pin+otp for website and one global specific password for other services.
@max: I got exactly the same thoughts. The current solution ends up in the situation that only the password option will be used by lots of users as they don't lookup each time for the OTP.
Two proposals/wishes from my side
- PIN (or password) + OTP would be fine if there would be an option to define trusted devices. So one can decide of one or two devices (e.g. at home) are trusted and all other devices need PIN (or password) + OTP to login
- An app-specific password should be generated by the webmailer. The option to leave it to the user to choose a password leads to weak passwords
Hope some reads that posts here.
@max: I got exactly the same thoughts. The current solution ends up in the situation that only the password option will be used by lots of users as they don't lookup each time for the OTP.
Two proposals/wishes from my side
- PIN (or password) + OTP would be fine if there would be an option to define trusted devices. So one can decide of one or two devices (e.g. at home) are trusted and all other devices need PIN (or password) + OTP to login
- An app-specific password should be generated by the webmailer. The option to leave it to the user to choose a password leads to weak passwords
Hope some reads that posts here.
I'm really glad the community in general feels strongly about this issue, thank you to other posters for using their time to express their opinions as well. I hope to see some kind of acknowledgment from mailbox.org team about this problem. 2FA needs to be better.
I'm really glad the community in general feels strongly about this issue, thank you to other posters for using their time to express their opinions as well. I hope to see some kind of acknowledgment from mailbox.org team about this problem. 2FA needs to be better.
I too would love a "standard" two factor authentication implementation where I can use an authenticator app like Aegis to register and obtain OTP to verify my authentications. Hope this gets implemented soon.
I too would love a "standard" two factor authentication implementation where I can use an authenticator app like Aegis to register and obtain OTP to verify my authentications. Hope this gets implemented soon.
Replies have been locked on this page!