Let's talk about 2FA on this website. Again.
Hello Mailbox community.
We already had several discussions about 2FA on this website. It's being done a bit differently here. Usually you have Password+2FA(OTP). On this website you use NEWLY_GEN
ERATED_6_DIGIT_PIN_INSTEAD_OF_PASSWORD+2FA(OTP).
Some people think this is a good idea because any password is apparently equally safe when having 2FA(OTP) activated.
I love.. your service. But one of the very few thing that i don't like on mailbox.org, and in this case it's a major thing for ME, is the way 2FA is being handled.
I think we can all agree that what I and several other users want, and how Mailbox is currently handling 2FA is at least; EQUALLY SECURE.
So i ask you, and i hope i'm not alone with this, to please, just enable both methods. Let me have my password + 2FA and not a 6 digit password.
Just make it optional. It's equally good. Some people prefer it the mainstream way and you can do it all with the same tools..
please please please!
I've posted a similar thing some days ago. https://userforum-en.mailbox.org/topic/password-recovery-process-and-security-flaw
If you have 2FA, so PIN + OTP, you can reset it with password reset process, because it reset the 2FA method.
There are three ways to reset the password of the account:
This last option, IMHO, is a security problem.I have suggested, like other people, to add app password (like mainstream services) or remove this third option and generate recovery codes for 2FA.
Hope that it will be added, because mailbox.org has the better configured servers (TLS cipher suites, DANE and DNSSEC) of all the email services I have tried.
I've posted a similar thing some days ago. https://userforum-en.mailbox.org/topic/password-recovery-process-and-security-flaw
If you have 2FA, so PIN + OTP, you can reset it with password reset process, because it reset the 2FA method.
There are three ways to reset the password of the account:
This last option, IMHO, is a security problem.I have suggested, like other people, to add app password (like mainstream services) or remove this third option and generate recovery codes for 2FA.
Hope that it will be added, because mailbox.org has the better configured servers (TLS cipher suites, DANE and DNSSEC) of all the email services I have tried.
6 digit - you are lucky - for some reason I can only set a 4 digit PIN. I am taking solace in that the password is effectively different every time anyway, but it just feels wrong having to only remember a 4 digit PIN.
I agree I would much rather have the option of a strong 20 character password in front of my YubiKey.
6 digit - you are lucky - for some reason I can only set a 4 digit PIN. I am taking solace in that the password is effectively different every time anyway, but it just feels wrong having to only remember a 4 digit PIN.
I agree I would much rather have the option of a strong 20 character password in front of my YubiKey.
Hey, i don't want to open a new topic for this again. I see i am not the only one frustrated with this.
My mailbox will run out soon but i will always be here in the forum and wait until your flaud password policy will be addressed finally
And btw: when legit darkmode?
Hey, i don't want to open a new topic for this again. I see i am not the only one frustrated with this.
My mailbox will run out soon but i will always be here in the forum and wait until your flaud password policy will be addressed finally
And btw: when legit darkmode?
Any news on this? Is it possible please to just answer this topic to let us know if this will be done some day or never.
As there is no answer and no change i guess we will just keep having the feature as it is and nothing more at least it's better than nothing
Any news on this? Is it possible please to just answer this topic to let us know if this will be done some day or never.
As there is no answer and no change i guess we will just keep having the feature as it is and nothing more at least it's better than nothing
I'm sorry, but it's not equal secure. It's much much much more INsecure. It is. It is. It is insecure. It is. Totally. Really. Yes. It is.
mailbox.org does not only offer a webinterface (like other services!) where we can restrict access and we can forbid any login with password-only. We also offer different/many different services and protocols like SMTP, XMPP and much more (and much more will be added in the future) that must still be open for password-logins. For that, a stolen/sniffed password CAN be used to gain access to different services and accounts.
It's totally not comparable to a single web-page were a stolen password from a OTP+password-Login is useless.
We will NOT bring our users in insecure and unsafe situations no matter how many people does not have understand what is secure and what is not secure and why/how different solutions on the market promise security but -- at the end -- do not keep their promises and are just a kind of fake and a risk for their users.
Sorry.
For general we're re-writing our auth-backend and there will be changes like different password and more ways to use OTP. But in no case we will enable an OTP login where real password become compromised. We will not do that even if 95% of all users have not understood how OTP and password hijacking works and what kind of risk bullshit those solution would be.
[Sorry, I wrote this 8 month ago, but I saved it only as a draft and haven't published it. My mistake. Sorry-]
I'm sorry, but it's not equal secure. It's much much much more INsecure. It is. It is. It is insecure. It is. Totally. Really. Yes. It is.
mailbox.org does not only offer a webinterface (like other services!) where we can restrict access and we can forbid any login with password-only. We also offer different/many different services and protocols like SMTP, XMPP and much more (and much more will be added in the future) that must still be open for password-logins. For that, a stolen/sniffed password CAN be used to gain access to different services and accounts.
It's totally not comparable to a single web-page were a stolen password from a OTP+password-Login is useless.
We will NOT bring our users in insecure and unsafe situations no matter how many people does not have understand what is secure and what is not secure and why/how different solutions on the market promise security but -- at the end -- do not keep their promises and are just a kind of fake and a risk for their users.
Sorry.
For general we're re-writing our auth-backend and there will be changes like different password and more ways to use OTP. But in no case we will enable an OTP login where real password become compromised. We will not do that even if 95% of all users have not understood how OTP and password hijacking works and what kind of risk bullshit those solution would be.
[Sorry, I wrote this 8 month ago, but I saved it only as a draft and haven't published it. My mistake. Sorry-]
Thank you very much for the answer :) yes i know that it is secure and how it works it's just the fact that it remain only digit password...
> For general we're re-writing our auth-backend and there will be changes like different password
That would be amazing if we could have a second password for the web-interface and or a second password that would replace the pin
Thanks a lot, and great work you are doing here with your services it's amazing :)
Thank you very much for the answer :) yes i know that it is secure and how it works it's just the fact that it remain only digit password...
> For general we're re-writing our auth-backend and there will be changes like different password
That would be amazing if we could have a second password for the web-interface and or a second password that would replace the pin
Thanks a lot, and great work you are doing here with your services it's amazing :)
I am also frustrated by the implementation of 2FA and do not think it is very secure. The whole point of TWO-FACTOR is that it requires two separate factors to log in. So the choices that I have seen are that I can either have a strong password, OR I can enable the one-time password and essentially downgrade the security (4 digit PIN + 6 digit OTP, essentially a 10 digit number - how hard would this be to brute force?? i.e. 1e+10 vs. my normal password 2,2e+102‬ ) of my account while simultaneously making it more cumbersome to log in.
I am also frustrated by the implementation of 2FA and do not think it is very secure. The whole point of TWO-FACTOR is that it requires two separate factors to log in. So the choices that I have seen are that I can either have a strong password, OR I can enable the one-time password and essentially downgrade the security (4 digit PIN + 6 digit OTP, essentially a 10 digit number - how hard would this be to brute force?? i.e. 1e+10 vs. my normal password 2,2e+102‬ ) of my account while simultaneously making it more cumbersome to log in.
i think everyone will be happy if we could just use a secondary password instead of the pin
i think everyone will be happy if we could just use a secondary password instead of the pin
yes i agree, i think people would like that (i know i would).
yes i agree, i think people would like that (i know i would).
Hey, OP here.
Herr Heinlein, bitte!
We have enough support for this. Please make this proposal optional at least... :)
It would be greatly appreciated by the mailbox.org community.
Happy new year everyone.
Ps: When darkmode :D
Hey, OP here.
Herr Heinlein, bitte!
We have enough support for this. Please make this proposal optional at least... :)
It would be greatly appreciated by the mailbox.org community.
Happy new year everyone.
Ps: When darkmode :D
It is rather apparent that the community is trying to provide feedback into the MFA process that is currently being utilized and its falling on stubborn ears. To me, its really quite simple and can be summed up in a few facts.
The current MFA setup is confusing, disorganized, and poorly implemented. MFA implementation can prevent up to 90% of account take overs. You would think that a developer who markets themselves as a security focused provider would take much greater care in its implementation. I utilize MFA and U2F extensively and no where have I been limited to a 4-6 digit pin and an OTP, nor have I had as much of a headache trying to implement it. Typically its quite an easy process that takes only a few seconds.
Have you stopped and considering the possibility that you may be putting more of your users at risk because your implementation just doesnt work for them and is outside the norm of what they can easily do? Or is the fundamental right of security only supposed to be for the elite?
As for the pin. A 4-6 digit pin versus a string of longer characters is not more secure. Its not. No. It just isnt. Really. Not under any standard. If you feel that it is, I would strongly suggest you write a technical white paper and submit it to SANS for community review. The OTP that follows is simply an additional layer of protection provided by entropy or a physical token that the bad guys arent going to have access to.
Regarding application access, and access via means other than the website. You guys are not the only ones who offer IMAP or SMTP access. As others have said, this is what app specific passwords and modern authentication are for. With your current setup, users are forced to utilize their primary account password within their e-mail client. You're worried about password hijacking, but you're backing your users into a corner by doing this and giving the bad guys a password that is not tied to a specific system or application, but the master password that can be used for anything, including your website, which if accessed, would allow for a full account take over.
It is rather apparent that the community is trying to provide feedback into the MFA process that is currently being utilized and its falling on stubborn ears. To me, its really quite simple and can be summed up in a few facts.
The current MFA setup is confusing, disorganized, and poorly implemented. MFA implementation can prevent up to 90% of account take overs. You would think that a developer who markets themselves as a security focused provider would take much greater care in its implementation. I utilize MFA and U2F extensively and no where have I been limited to a 4-6 digit pin and an OTP, nor have I had as much of a headache trying to implement it. Typically its quite an easy process that takes only a few seconds.
Have you stopped and considering the possibility that you may be putting more of your users at risk because your implementation just doesnt work for them and is outside the norm of what they can easily do? Or is the fundamental right of security only supposed to be for the elite?
As for the pin. A 4-6 digit pin versus a string of longer characters is not more secure. Its not. No. It just isnt. Really. Not under any standard. If you feel that it is, I would strongly suggest you write a technical white paper and submit it to SANS for community review. The OTP that follows is simply an additional layer of protection provided by entropy or a physical token that the bad guys arent going to have access to.
Regarding application access, and access via means other than the website. You guys are not the only ones who offer IMAP or SMTP access. As others have said, this is what app specific passwords and modern authentication are for. With your current setup, users are forced to utilize their primary account password within their e-mail client. You're worried about password hijacking, but you're backing your users into a corner by doing this and giving the bad guys a password that is not tied to a specific system or application, but the master password that can be used for anything, including your website, which if accessed, would allow for a full account take over.
Mr. Heinlein might be victim of a optics problem. Maybe we are used to a form of security theater which provides a sense of security even though it in reality not as secure as we think it is.
That being said: I don't think it is wise to sidetrack a community of confusion and frustration around the whole OTP/MFA topic.
I would really much like to be educated why the current Mailbox.org OTP config is as secure or more secure as outlook.com's or protonmail.com's or tutanota.com's security. I appreciate Mr. Heinlein's dedication to principles and security, I just cannot find the 'why' or 'how so' behind the reasoning. If you can elaborate, a video or podcast would be nice or a blog article.
----
After using Mailbox.org service for a few years ish and not seeing a significant change in the OTP topic here I feel getting a bit fatigued by it.
And to take a step back: my best experience is not typing in an OTP number or pressing a yubikey. It is FaceID or pressing [Approve] on my phone.
Mr. Heinlein might be victim of a optics problem. Maybe we are used to a form of security theater which provides a sense of security even though it in reality not as secure as we think it is.
That being said: I don't think it is wise to sidetrack a community of confusion and frustration around the whole OTP/MFA topic.
I would really much like to be educated why the current Mailbox.org OTP config is as secure or more secure as outlook.com's or protonmail.com's or tutanota.com's security. I appreciate Mr. Heinlein's dedication to principles and security, I just cannot find the 'why' or 'how so' behind the reasoning. If you can elaborate, a video or podcast would be nice or a blog article.
----
After using Mailbox.org service for a few years ish and not seeing a significant change in the OTP topic here I feel getting a bit fatigued by it.
And to take a step back: my best experience is not typing in an OTP number or pressing a yubikey. It is FaceID or pressing [Approve] on my phone.
I would greatly prefer a two-step solution like what other providers offer (password then OTP), but maybe due to my lack of technical know-how, the solution proposed by Mailbox is more secure and works better with their offerings than a two-step solution.
In that case, I concur with the others, that using an alphanumeric password of our choice + OTP appended as the new login sounds like a much better and secure solution than relying on a 4-digit PIN. At the very least, this should be an option.
What I don't get is if users use IMAP with 2FA enabled, I'm guessing IMAP uses their actual account password. In that case, how is this solution more secure exactly?
I would greatly prefer a two-step solution like what other providers offer (password then OTP), but maybe due to my lack of technical know-how, the solution proposed by Mailbox is more secure and works better with their offerings than a two-step solution.
In that case, I concur with the others, that using an alphanumeric password of our choice + OTP appended as the new login sounds like a much better and secure solution than relying on a 4-digit PIN. At the very least, this should be an option.
What I don't get is if users use IMAP with 2FA enabled, I'm guessing IMAP uses their actual account password. In that case, how is this solution more secure exactly?
From a different angle, I would like to see FIDO or FIDO2 UAF being implemented, as an extra ption for two factor authentication. This allows users to use a generic security key (which only supports FIDO or FIDO2, but not OTP)
From a different angle, I would like to see FIDO or FIDO2 UAF being implemented, as an extra ption for two factor authentication. This allows users to use a generic security key (which only supports FIDO or FIDO2, but not OTP)
I gives me so many troubles, because I'm using a password manager and with this 2FA I can't even use it. On every other website my password manager fills login and password, after that I manually enter TOTP and that's it. Here at mailbox.org I'm forced to only use password. because of the 2FA the password constantly changes.
I gives me so many troubles, because I'm using a password manager and with this 2FA I can't even use it. On every other website my password manager fills login and password, after that I manually enter TOTP and that's it. Here at mailbox.org I'm forced to only use password. because of the 2FA the password constantly changes.
Was about to give up on 2FA but after spending more than an hour... eventually got it working.
Hopefully I will now be able to recall this very contrarian login process when I need it again.
Will continue using mailbox.org but won’t be able to recommend it to less tech savvy users.
There’s a balance to be struck between security and general usability.
Was about to give up on 2FA but after spending more than an hour... eventually got it working.
Hopefully I will now be able to recall this very contrarian login process when I need it again.
Will continue using mailbox.org but won’t be able to recommend it to less tech savvy users.
There’s a balance to be struck between security and general usability.
I just migrated to this email provider (after testing a dozen of others first) and I was very satisfied with everything. Until I decided to enable 2FA... Now I'm simply thinking about looking for another provider.
As a user has mentioned here previously, this is so counter-intuitive and annoying to use that I'm pretty sure it forces the vast majority of users to turn off 2FA which is *undoubtedly* less secure.
There's no way I'm going to use this even if you managed to convince me it's more secure (which I doubt) simply because it is UNUSABLE as it has been mentioned here multiple times.
So my options are either I stay here and completely disable 2FA which would make me totally nervous or I am simply looking for an email provider that cares to provide users with a 2FA method that they are willing to use.
I just migrated to this email provider (after testing a dozen of others first) and I was very satisfied with everything. Until I decided to enable 2FA... Now I'm simply thinking about looking for another provider.
As a user has mentioned here previously, this is so counter-intuitive and annoying to use that I'm pretty sure it forces the vast majority of users to turn off 2FA which is *undoubtedly* less secure.
There's no way I'm going to use this even if you managed to convince me it's more secure (which I doubt) simply because it is UNUSABLE as it has been mentioned here multiple times.
So my options are either I stay here and completely disable 2FA which would make me totally nervous or I am simply looking for an email provider that cares to provide users with a 2FA method that they are willing to use.
I would tend to agree with @1201676. Is mailbox.org reconsidering their position?
I would tend to agree with @1201676. Is mailbox.org reconsidering their position?
The PIN is not a 4 digit PIN (anymore).
The PIN is not a 4 digit PIN (anymore).
I've read the thread twice and checked the 2FA knowledgebase article.
Am I right to say that mailbox.org implemented an OTP solution primarily to allow users to log in safely on devices they don't trust?
And most of the users in this thread want 2FA so their account can't be accessed using only the password if that password is compromised.
In my use case, all my logins are on devices that I trust. But to get the increased security I want I'm being told I need to adopt mailbox.org's more-secure-but-non-standard 2FA login.
Is that a fair summary?
It's not a huge inconvenience to learn to log in that way. But it's frustrating not to be able to make an informed choice to between your 2FA implementation and the standard one. And I wasted far too much time understanding the issue and writing this comment.
I've read the thread twice and checked the 2FA knowledgebase article.
Am I right to say that mailbox.org implemented an OTP solution primarily to allow users to log in safely on devices they don't trust?
And most of the users in this thread want 2FA so their account can't be accessed using only the password if that password is compromised.
In my use case, all my logins are on devices that I trust. But to get the increased security I want I'm being told I need to adopt mailbox.org's more-secure-but-non-standard 2FA login.
Is that a fair summary?
It's not a huge inconvenience to learn to log in that way. But it's frustrating not to be able to make an informed choice to between your 2FA implementation and the standard one. And I wasted far too much time understanding the issue and writing this comment.
I'm also a bit concerned about it, because all the major players in IT have implemented a standard 2FA, which is quite convenient for me. The current realisation of a 2FA in mailbox.org is frustrating.
I'm also a bit concerned about it, because all the major players in IT have implemented a standard 2FA, which is quite convenient for me. The current realisation of a 2FA in mailbox.org is frustrating.
This actually made me reconsider switching to mailbox.org. Never seen a provider that basically makes you replace your password with a 4 digit pin when you enable 2fa.
Essentially the login is now 4 static digits and 6 digits that change every 30 seconds
This actually made me reconsider switching to mailbox.org. Never seen a provider that basically makes you replace your password with a 4 digit pin when you enable 2fa.
Essentially the login is now 4 static digits and 6 digits that change every 30 seconds
The normal threat model for TOTP is phishing, and this requires people to set a PIN in addition to their IMAP-Password.
Convenience /= security.
If other email providers have implemented this in another way, it doesnt mean it provides additional security.
The normal threat model for TOTP is phishing, and this requires people to set a PIN in addition to their IMAP-Password.
Convenience /= security.
If other email providers have implemented this in another way, it doesnt mean it provides additional security.
2 years later and Mailbox.org spends more time building a video app because it's fun instead of listening to what its users want. :\
2 years later and Mailbox.org spends more time building a video app because it's fun instead of listening to what its users want. :\
For 2FA or SSO I suggest considering either https://lemonldap-ng.org or https://www.keycloak.org
Both products above have strong security and strong privacy. Because they are open source :) My favorite is LemonLDAP-NG. Because, legally speaking, LemonLDAP-NG is owned and controlled by both you and a not-for-profit community. In comparison, Keycloak is, legally speaking, indirectly owned and controlled by the for-profit IBM.
Screenshot, summary, and details at https://userforum-en.mailbox.org/topic/1427-2fa-with-lemonldap-ng-or-keycloak
For 2FA or SSO I suggest considering either https://lemonldap-ng.org or https://www.keycloak.org
Both products above have strong security and strong privacy. Because they are open source :) My favorite is LemonLDAP-NG. Because, legally speaking, LemonLDAP-NG is owned and controlled by both you and a not-for-profit community. In comparison, Keycloak is, legally speaking, indirectly owned and controlled by the for-profit IBM.
Screenshot, summary, and details at https://userforum-en.mailbox.org/topic/1427-2fa-with-lemonldap-ng-or-keycloak
I vote +1 and 25 for my co-workers
it is a funny thing that mailbox.org wants to serve an alternative to the usual suspects bigger office account providers and still did not implement 2FA, even when the times state that its as mandatory as TLS in web browsers. I hope mailbox.org will put this on the HIGHEST priority and if costs money, then what the heck, it is about security... imagine one day your customers got hacked, you will have to pay much more for the hacked accounts than for the 2FA implementation...
as this thread was linked by another thread, please search on YOUR OWN website/forum for 2FA and add all proposals/votes to this thread, I bet we reach 200 and more already... the issue is that there are several threads about this topic and that is why mailbox org does not see the customer impact that this function would have.
Last a funny story: Even the state of Hungary was able to implement 2FA for their customer gate and a German Private Company is not able to do so... I would judge as a stoopid watcher without background knowledge that mailbox.org is not professional at all.
Thank you for raising the priority on this implementation and I am sure we could count with it in the 2nd half of 2022
I vote +1 and 25 for my co-workers
it is a funny thing that mailbox.org wants to serve an alternative to the usual suspects bigger office account providers and still did not implement 2FA, even when the times state that its as mandatory as TLS in web browsers. I hope mailbox.org will put this on the HIGHEST priority and if costs money, then what the heck, it is about security... imagine one day your customers got hacked, you will have to pay much more for the hacked accounts than for the 2FA implementation...
as this thread was linked by another thread, please search on YOUR OWN website/forum for 2FA and add all proposals/votes to this thread, I bet we reach 200 and more already... the issue is that there are several threads about this topic and that is why mailbox org does not see the customer impact that this function would have.
Last a funny story: Even the state of Hungary was able to implement 2FA for their customer gate and a German Private Company is not able to do so... I would judge as a stoopid watcher without background knowledge that mailbox.org is not professional at all.
Thank you for raising the priority on this implementation and I am sure we could count with it in the 2nd half of 2022
mailbox.org did implement 2FA, I am using it and it works well. I don't even have to open my password manager.
mailbox.org did implement 2FA, I am using it and it works well. I don't even have to open my password manager.
pictures show more than words, I already opened a technical customer support ticket, lets see if they work today
pictures show more than words, I already opened a technical customer support ticket, lets see if they work today
Hello,
we are aware that this feature is very important for our customers and for the safety of our customers. Right now we are offering 2FA for private customers. We are already working on a solution for our business customers with Keycloak, but it will take some more time until we can implement it.
All the best from your
mailbox.org team
Hello,
we are aware that this feature is very important for our customers and for the safety of our customers. Right now we are offering 2FA for private customers. We are already working on a solution for our business customers with Keycloak, but it will take some more time until we can implement it.
All the best from your
mailbox.org team
Business has less Security than private people, I like that attitude, but please, maybe do not ask for a payment from business customers, okay? The impact of a hacked business customer could get mailbox.org bankrupt in 1 day - oh and please could mailbox.org add a timeline for the implementation? I heard that from my bank, we are working on that, and three years later the same template answer was given, so please be a little bit more open.
Business has less Security than private people, I like that attitude, but please, maybe do not ask for a payment from business customers, okay? The impact of a hacked business customer could get mailbox.org bankrupt in 1 day - oh and please could mailbox.org add a timeline for the implementation? I heard that from my bank, we are working on that, and three years later the same template answer was given, so please be a little bit more open.
So is something gonna happen? It slowly turns into a joke ...
So is something gonna happen? It slowly turns into a joke ...
As a new user in the paid standard plan I have to agree to the point that I find the 2FA implementation awkward. I'd also prefer a formal logon with username and complex password + OTP. Also, I think a security focussed provider should support FIDO U2F and FIDO2/WebAuthn as well. In addition I fully support he request to Mailbox.org to be Mord responsive and at least provide a rough timeline and a status.
As a new user in the paid standard plan I have to agree to the point that I find the 2FA implementation awkward. I'd also prefer a formal logon with username and complex password + OTP. Also, I think a security focussed provider should support FIDO U2F and FIDO2/WebAuthn as well. In addition I fully support he request to Mailbox.org to be Mord responsive and at least provide a rough timeline and a status.
My last business email service was hacked and was held for ransom. I wanted to find a provider that was more private and more secure. I tried MANY MANY trials, and I fell in love with mailbox.org personal setup.
I signed up for a business account today, now I can't turn on 2FA on either the business admin side or the individual emails???
This is a huge deal, huge. The pin is not so much of a deal for me as we all use hardware tokens, but there isn't anything for business services! This will probably force me somewhere else, I can not leave that huge security hole open.
My last business email service was hacked and was held for ransom. I wanted to find a provider that was more private and more secure. I tried MANY MANY trials, and I fell in love with mailbox.org personal setup.
I signed up for a business account today, now I can't turn on 2FA on either the business admin side or the individual emails???
This is a huge deal, huge. The pin is not so much of a deal for me as we all use hardware tokens, but there isn't anything for business services! This will probably force me somewhere else, I can not leave that huge security hole open.
Seems like somethings happening, without any result so far: https://userforum-en.mailbox.org/topic/1556-2fa-for-business
Can't wait for this to happen.
Seems like somethings happening, without any result so far: https://userforum-en.mailbox.org/topic/1556-2fa-for-business
Can't wait for this to happen.
Our beta program is available now.
As part of this program, we offer the Login 2.0 for testing.
For further information on this, please visit: https://mailbox.org/en/post/beta-program-starts
Our beta program is available now.
As part of this program, we offer the Login 2.0 for testing.
For further information on this, please visit: https://mailbox.org/en/post/beta-program-starts
Kinda wild that Peer gaslighted everyone in this thread to say OTP was insecure and that Mailbox's method was superior, and now they're implementing OTP. 🤷‍♂
Kinda wild that Peer gaslighted everyone in this thread to say OTP was insecure and that Mailbox's method was superior, and now they're implementing OTP. 🤷‍♂
>Our beta program is available now.
Thanks Mailbox.Org team. Appreciated :)
Both me and the Ubertus.Org team are really looking forward to trying this beta. We will happily share our feedback. We will create tickets for your review for interest and your decision at https://support.mailbox.org
This is great news that you chose the Libre Source (Open Source) Keycloak. And that you are self-hosting it to power your 2FA.
For those not familiar with "Libre Source", it is much stronger privacy and stronger security than Secret Source (Prioprietary Source). Same for Self-Hosted software. I mean Self-Hosted software have much stronger privacy and stronger security than SaaS. Why? Well, mainly because anyone, including large number of security experts, can both publicly review and publicly contribute to Libre Source software. In comparison, this is not possible with Secret Source software. In other words, Libre Source and Self-hosted is much more likely to attract clients. In turn, grow your business.
>Our beta program is available now.
Thanks Mailbox.Org team. Appreciated :)
Both me and the Ubertus.Org team are really looking forward to trying this beta. We will happily share our feedback. We will create tickets for your review for interest and your decision at https://support.mailbox.org
This is great news that you chose the Libre Source (Open Source) Keycloak. And that you are self-hosting it to power your 2FA.
For those not familiar with "Libre Source", it is much stronger privacy and stronger security than Secret Source (Prioprietary Source). Same for Self-Hosted software. I mean Self-Hosted software have much stronger privacy and stronger security than SaaS. Why? Well, mainly because anyone, including large number of security experts, can both publicly review and publicly contribute to Libre Source software. In comparison, this is not possible with Secret Source software. In other words, Libre Source and Self-hosted is much more likely to attract clients. In turn, grow your business.
Hello Mailbox.Org team :) We are in progress of reading the information at https://mailbox.org/en/post/beta-program-starts
It reads that "Only private customers in the beta can use this feature."
Our first suggestion is to offer a 2FA beta program for your Business customers. If Mailbox.Org is interested, both me and the Ubertus.Org team would be happy, as volunteers, to contribute beta testing.
Details about our suggestion is into ticket #11284
Hello Mailbox.Org team :) We are in progress of reading the information at https://mailbox.org/en/post/beta-program-starts
It reads that "Only private customers in the beta can use this feature."
Our first suggestion is to offer a 2FA beta program for your Business customers. If Mailbox.Org is interested, both me and the Ubertus.Org team would be happy, as volunteers, to contribute beta testing.
Details about our suggestion is into ticket #11284
I think what's missing in the beta is the ability to save a device as "trusted" so that it won't ask you for an OTP every time you try to login from that device. Also it's a bit annoying that you need to re-authenticate after closing the browser. I don't remember that happening with gmail.
I think what's missing in the beta is the ability to save a device as "trusted" so that it won't ask you for an OTP every time you try to login from that device. Also it's a bit annoying that you need to re-authenticate after closing the browser. I don't remember that happening with gmail.
I agree that there should be an option to mark devices as "trusted," but it shouldn’t be enabled by default. Unfortunately, cookie theft is a real threat. If an attacker gains access to these cookies—especially those belonging to a trusted device—it can completely undermine the security benefits of two-factor authentication.
I agree that there should be an option to mark devices as "trusted," but it shouldn’t be enabled by default. Unfortunately, cookie theft is a real threat. If an attacker gains access to these cookies—especially those belonging to a trusted device—it can completely undermine the security benefits of two-factor authentication.
Replies have been locked on this page!