Welcome to the mailbox.org user forum!
 

Let's talk about 2FA on this website. Again.

7265611 shared this idea 5 months ago
Proposed

Hello Mailbox community.


We already had several discussions about 2FA on this website. It's being done a bit differently here. Usually you have Password+2FA(OTP). On this website you use NEWLY_GEN


ERATED_6_DIGIT_PIN_INSTEAD_OF_PASSWORD+2FA(OTP).

Some people think this is a good idea because any password is apparently equally safe when having 2FA(OTP) activated.


I love.. your service. But one of the very few thing that i don't like on mailbox.org, and in this case it's a major thing for ME, is the way 2FA is being handled.


I think we can all agree that what I and several other users want, and how Mailbox is currently handling 2FA is at least; EQUALLY SECURE.


So i ask you, and i hope i'm not alone with this, to please, just enable both methods. Let me have my password + 2FA and not a 6 digit password.


Just make it optional. It's equally good. Some people prefer it the mainstream way and you can do it all with the same tools..


please please please!

Comments (11)

photo
1

I've posted a similar thing some days ago. https://userforum-en.mailbox.org/topic/password-recovery-process-and-security-flaw

If you have 2FA, so PIN + OTP, you can reset it with password reset process, because it reset the 2FA method.

There are three ways to reset the password of the account:

  • secondary email (if you have set one);
  • phone number (if you have set one);
  • receive an email on your mailbox.org if you still have IMAP access.

This last option, IMHO, is a security problem.I have suggested, like other people, to add app password (like mainstream services) or remove this third option and generate recovery codes for 2FA.

Hope that it will be added, because mailbox.org has the better configured servers (TLS cipher suites, DANE and DNSSEC) of all the email services I have tried.

photo
1

If you receive it by e-mail because you still have configured an IMAP client, then your password *IS* stored in *plaintext* in the config of that IMAP client.

If somebody owns the device, he owns your password anyway. That's how it is.

photo
1

That's correct. But with app-specific passwords, this scenario would not happen and it would be much more secure, as I can revoke an app-password if I lose my device etc.

photo
1

The only way it should be possible to reset the Password is (optionally) with a secondary email or with your security code written down before setting up 2FA


The biggest problem is also:


When i setup 2FA there has to be a process of confirmation. You can't just make noob users be confused about setting up 2FA without any first confirmation..


"have you written downyour code"


"confirm code hre".. etc..

photo
1

Using 2FA means you rely on your OTP as main source of security.

Which means a 6_DIGIT_PIN+OTP is more secure than just a password.

If OTP is secure conceptually we can all agree that 6_DIGIT_PIN+OTP is not more, or less, but EQUALLY secure as USER_GENERATED_PASSWORD+OTP.

I would LOVE to see that mailbox.org listens to it's customers in that regard. You can achieve an EQUALLY secure mailbox by enabling your users the possibility of YOUR way of handling 2FA but also enable the more commonly used way of USER_GENERATED_PASSWORD+OTP.


It would make almost no difference and would eliminate a lot of confusion. And i try to argue this also, additionally, with your own philosophy of making things easy, in order to make them secure.


And the last thing that i mentioned before also:


Please! Before finalizing setting up 2FA on your website. Give the user the possibility of checking if their generated token is valid with a confirmation setup. Never make a token valid until it's confirmed by the user that they know what they have done. A lot of people here on this forum become super confused over this issue.


It should always be:


WRITE_DOWN_BACKUP_KEY_FOR_OTP_GENERATOR_SAFELY ->

CONFIRM_AUTHENTICITY_BY_TYPING_OTP_ONCE_WITH_PROVIDER_BEFORE_ACTUAL_USAGE ->

LOGIN_WITH_CONFIRMED_WORKING_OTP

photo
1

@Peer Heinlein:

If someone has the password, he can read all e-mails (if not encrypted), what would be already very bad. But with the above third password reset option an attacker would be also able to completely overtake an account and lock the legitimate owner out. This is because the password reset switches the 2FA off (correct me if I'm wrong). In connection with the possibility to have anonymous accounts, this could be a major problem.


However, I can understand, that without this option you will probably get a higher amount of support requests from people, who lost the access to their account. Maybe a password analogous to the telephone password for resetting the password online might help. Or let users choose to switch off the third password reset option on their own 'risk' and let them pay for the support, if they locked out themselves, because not having configured alternative password reset options (like mobile phone number or alternative e-mail address)...

photo
1

@Peer Heinlein


It is a simple question. Why not allow users to create their OWN Password when creating 2FA.


Why can't i choose my OWN password instead of a 6 DIGIT PIN.


It is literally EQUALLY secure if you forbid to use the same PW again. (using YOUR philosophy, i would regard this as the users problem and not yours, but arguing in terms of mailbox.org's thinking)


Why can't i use my SELF GENERATED PASSWORD. Why am i forced to use a 6 Digit Pin ? I don't feel safe with this. Even though i understand why it IS secure. But my own password will be EQUALLY secure, if not _theoretically_ even more secure because it is obviously longer than 6 digit number..


just allow the option to let users create their own passwords when creating their 2FA.

Also you will not get more support requests if you allow users to use their own password.

the password reset part is not the issue here.


please!!!

photo
1

@Peer Heinlein Thanks for your reply. It's always good to hear "official" replies.

I know, the case that I've described is not going to happen so often. Probably never. :)Because if someone steal my laptop I have some sort of password and encryption on hard disk, it's not enough, but is a bare minimum.

What I was trying to say is: "If the email client has some security flaw (CVE vulnerabilities) and someone find a way to steal my plaintext password, even if they don't have my device".

Pretty paranoid, but removing the IMAP recovery will make us more secure I think.

photo
1

@Peer Heinlein


You still have not answered my question. I'm asking about the possibility to replace my 6-digit-pin with a newly self generated password. The moment you set up 2FA you generate a 6-digit-pin. I ask you to enable an option to create a newly, self-generated password.


It will be a new password on top of your old login password just like your 6digit-pin, but can be inherently more secure because it can provide more characters and digits than your 6-digit-pin.


I'm literally not arguing that it's MORE secure. I'm saying it is equally secure to not stir any unnecessary discussion about it.


Please just enable that option and add a 2FA verification process that tells you if you have set it up correctly before logging in again. You see how many people logged themselves out already.


I would appreciate comments on those points which i have also mentioned in all my other writings/comments above.

photo
2

I'd like to add my voice to this thread: mailbox.org's implementation of 2FA is unintuitive and at best a cause of frustration.


I was seriously tempted to begin my search for a privacy-focussed mail + cal/cardDav service all over again after experiencing this "We know better than our users" attitude apparent in the 2FA setup interface.


Provide your users with the 2FA experience they are accustomed to from all the other 2FA-empowered websites on the net. Stop trying to "be right". Your current setup breaks users expectations as well as their password manager + token generator setup and makes users NOT use 2FA, which makes everything LESS secure.

photo
photo
1

6 digit - you are lucky - for some reason I can only set a 4 digit PIN. I am taking solace in that the password is effectively different every time anyway, but it just feels wrong having to only remember a 4 digit PIN.

I agree I would much rather have the option of a strong 20 character password in front of my YubiKey.