Welcome to the mailbox.org user forum!
 

Let's talk about 2FA on this website. Again.

drdarkmode shared this idea 10 months ago
Proposed

Hello Mailbox community.


We already had several discussions about 2FA on this website. It's being done a bit differently here. Usually you have Password+2FA(OTP). On this website you use NEWLY_GEN


ERATED_6_DIGIT_PIN_INSTEAD_OF_PASSWORD+2FA(OTP).

Some people think this is a good idea because any password is apparently equally safe when having 2FA(OTP) activated.


I love.. your service. But one of the very few thing that i don't like on mailbox.org, and in this case it's a major thing for ME, is the way 2FA is being handled.


I think we can all agree that what I and several other users want, and how Mailbox is currently handling 2FA is at least; EQUALLY SECURE.


So i ask you, and i hope i'm not alone with this, to please, just enable both methods. Let me have my password + 2FA and not a 6 digit password.


Just make it optional. It's equally good. Some people prefer it the mainstream way and you can do it all with the same tools..


please please please!

Comments (12)

photo
2

I've posted a similar thing some days ago. https://userforum-en.mailbox.org/topic/password-recovery-process-and-security-flaw

If you have 2FA, so PIN + OTP, you can reset it with password reset process, because it reset the 2FA method.

There are three ways to reset the password of the account:

  • secondary email (if you have set one);
  • phone number (if you have set one);
  • receive an email on your mailbox.org if you still have IMAP access.

This last option, IMHO, is a security problem.I have suggested, like other people, to add app password (like mainstream services) or remove this third option and generate recovery codes for 2FA.

Hope that it will be added, because mailbox.org has the better configured servers (TLS cipher suites, DANE and DNSSEC) of all the email services I have tried.

photo
1

If you receive it by e-mail because you still have configured an IMAP client, then your password *IS* stored in *plaintext* in the config of that IMAP client.

If somebody owns the device, he owns your password anyway. That's how it is.

photo
1

That's correct. But with app-specific passwords, this scenario would not happen and it would be much more secure, as I can revoke an app-password if I lose my device etc.

photo
1

The only way it should be possible to reset the Password is (optionally) with a secondary email or with your security code written down before setting up 2FA


The biggest problem is also:


When i setup 2FA there has to be a process of confirmation. You can't just make noob users be confused about setting up 2FA without any first confirmation..


"have you written downyour code"


"confirm code hre".. etc..

photo
1

Using 2FA means you rely on your OTP as main source of security.

Which means a 6_DIGIT_PIN+OTP is more secure than just a password.

If OTP is secure conceptually we can all agree that 6_DIGIT_PIN+OTP is not more, or less, but EQUALLY secure as USER_GENERATED_PASSWORD+OTP.

I would LOVE to see that mailbox.org listens to it's customers in that regard. You can achieve an EQUALLY secure mailbox by enabling your users the possibility of YOUR way of handling 2FA but also enable the more commonly used way of USER_GENERATED_PASSWORD+OTP.


It would make almost no difference and would eliminate a lot of confusion. And i try to argue this also, additionally, with your own philosophy of making things easy, in order to make them secure.


And the last thing that i mentioned before also:


Please! Before finalizing setting up 2FA on your website. Give the user the possibility of checking if their generated token is valid with a confirmation setup. Never make a token valid until it's confirmed by the user that they know what they have done. A lot of people here on this forum become super confused over this issue.


It should always be:


WRITE_DOWN_BACKUP_KEY_FOR_OTP_GENERATOR_SAFELY ->

CONFIRM_AUTHENTICITY_BY_TYPING_OTP_ONCE_WITH_PROVIDER_BEFORE_ACTUAL_USAGE ->

LOGIN_WITH_CONFIRMED_WORKING_OTP

photo
1

@Peer Heinlein:

If someone has the password, he can read all e-mails (if not encrypted), what would be already very bad. But with the above third password reset option an attacker would be also able to completely overtake an account and lock the legitimate owner out. This is because the password reset switches the 2FA off (correct me if I'm wrong). In connection with the possibility to have anonymous accounts, this could be a major problem.


However, I can understand, that without this option you will probably get a higher amount of support requests from people, who lost the access to their account. Maybe a password analogous to the telephone password for resetting the password online might help. Or let users choose to switch off the third password reset option on their own 'risk' and let them pay for the support, if they locked out themselves, because not having configured alternative password reset options (like mobile phone number or alternative e-mail address)...

photo
1

@Peer Heinlein


It is a simple question. Why not allow users to create their OWN Password when creating 2FA.


Why can't i choose my OWN password instead of a 6 DIGIT PIN.


It is literally EQUALLY secure if you forbid to use the same PW again. (using YOUR philosophy, i would regard this as the users problem and not yours, but arguing in terms of mailbox.org's thinking)


Why can't i use my SELF GENERATED PASSWORD. Why am i forced to use a 6 Digit Pin ? I don't feel safe with this. Even though i understand why it IS secure. But my own password will be EQUALLY secure, if not _theoretically_ even more secure because it is obviously longer than 6 digit number..


just allow the option to let users create their own passwords when creating their 2FA.

Also you will not get more support requests if you allow users to use their own password.

the password reset part is not the issue here.


please!!!

photo
1

@Peer Heinlein Thanks for your reply. It's always good to hear "official" replies.

I know, the case that I've described is not going to happen so often. Probably never. :)Because if someone steal my laptop I have some sort of password and encryption on hard disk, it's not enough, but is a bare minimum.

What I was trying to say is: "If the email client has some security flaw (CVE vulnerabilities) and someone find a way to steal my plaintext password, even if they don't have my device".

Pretty paranoid, but removing the IMAP recovery will make us more secure I think.

photo
1

@Peer Heinlein


You still have not answered my question. I'm asking about the possibility to replace my 6-digit-pin with a newly self generated password. The moment you set up 2FA you generate a 6-digit-pin. I ask you to enable an option to create a newly, self-generated password.


It will be a new password on top of your old login password just like your 6digit-pin, but can be inherently more secure because it can provide more characters and digits than your 6-digit-pin.


I'm literally not arguing that it's MORE secure. I'm saying it is equally secure to not stir any unnecessary discussion about it.


Please just enable that option and add a 2FA verification process that tells you if you have set it up correctly before logging in again. You see how many people logged themselves out already.


I would appreciate comments on those points which i have also mentioned in all my other writings/comments above.

photo
3

I'd like to add my voice to this thread: mailbox.org's implementation of 2FA is unintuitive and at best a cause of frustration.


I was seriously tempted to begin my search for a privacy-focussed mail + cal/cardDav service all over again after experiencing this "We know better than our users" attitude apparent in the 2FA setup interface.


Provide your users with the 2FA experience they are accustomed to from all the other 2FA-empowered websites on the net. Stop trying to "be right". Your current setup breaks users expectations as well as their password manager + token generator setup and makes users NOT use 2FA, which makes everything LESS secure.

photo
photo
1

6 digit - you are lucky - for some reason I can only set a 4 digit PIN. I am taking solace in that the password is effectively different every time anyway, but it just feels wrong having to only remember a 4 digit PIN.

I agree I would much rather have the option of a strong 20 character password in front of my YubiKey.

photo
1

Hey, i don't want to open a new topic for this again. I see i am not the only one frustrated with this.


My mailbox will run out soon but i will always be here in the forum and wait until your flaud password policy will be addressed finally


And btw: when legit darkmode?

photo
1

Any news on this? Is it possible please to just answer this topic to let us know if this will be done some day or never.


As there is no answer and no change i guess we will just keep having the feature as it is and nothing more at least it's better than nothing

photo
4

I'm sorry, but it's not equal secure. It's much much much more INsecure. It is. It is. It is insecure. It is. Totally. Really. Yes. It is.

mailbox.org does not only offer a webinterface (like other services!) where we can restrict access and we can forbid any login with password-only. We also offer different/many different services and protocols like SMTP, XMPP and much more (and much more will be added in the future) that must still be open for password-logins. For that, a stolen/sniffed password CAN be used to gain access to different services and accounts.

It's totally not comparable to a single web-page were a stolen password from a OTP+password-Login is useless.

We will NOT bring our users in insecure and unsafe situations no matter how many people does not have understand what is secure and what is not secure and why/how different solutions on the market promise security but -- at the end -- do not keep their promises and are just a kind of fake and a risk for their users.

Sorry.

For general we're re-writing our auth-backend and there will be changes like different password and more ways to use OTP. But in no case we will enable an OTP login where real password become compromised. We will not do that even if 95% of all users have not understood how OTP and password hijacking works and what kind of risk bullshit those solution would be.


[Sorry, I wrote this 8 month ago, but I saved it only as a draft and haven't published it. My mistake. Sorry-]

photo
2

Thank you very much for the answer :) yes i know that it is secure and how it works it's just the fact that it remain only digit password...

> For general we're re-writing our auth-backend and there will be changes like different password

That would be amazing if we could have a second password for the web-interface and or a second password that would replace the pin

Thanks a lot, and great work you are doing here with your services it's amazing :)

photo
1

I am also frustrated by the implementation of 2FA and do not think it is very secure. The whole point of TWO-FACTOR is that it requires two separate factors to log in. So the choices that I have seen are that I can either have a strong password, OR I can enable the one-time password and essentially downgrade the security (4 digit PIN + 6 digit OTP, essentially a 10 digit number - how hard would this be to brute force?? i.e. 1e+10 vs. my normal password 2,2e+102‬ ) of my account while simultaneously making it more cumbersome to log in.

photo
2

i think everyone will be happy if we could just use a secondary password instead of the pin

photo
3

yes i agree, i think people would like that (i know i would).

photo
1

Hey, OP here.


Herr Heinlein, bitte!


We have enough support for this. Please make this proposal optional at least... :)


It would be greatly appreciated by the mailbox.org community.


Happy new year everyone.


Ps: When darkmode :D

photo
1

It is rather apparent that the community is trying to provide feedback into the MFA process that is currently being utilized and its falling on stubborn ears. To me, its really quite simple and can be summed up in a few facts.

The current MFA setup is confusing, disorganized, and poorly implemented. MFA implementation can prevent up to 90% of account take overs. You would think that a developer who markets themselves as a security focused provider would take much greater care in its implementation. I utilize MFA and U2F extensively and no where have I been limited to a 4-6 digit pin and an OTP, nor have I had as much of a headache trying to implement it. Typically its quite an easy process that takes only a few seconds.

Have you stopped and considering the possibility that you may be putting more of your users at risk because your implementation just doesnt work for them and is outside the norm of what they can easily do? Or is the fundamental right of security only supposed to be for the elite?

As for the pin. A 4-6 digit pin versus a string of longer characters is not more secure. Its not. No. It just isnt. Really. Not under any standard. If you feel that it is, I would strongly suggest you write a technical white paper and submit it to SANS for community review. The OTP that follows is simply an additional layer of protection provided by entropy or a physical token that the bad guys arent going to have access to.

Regarding application access, and access via means other than the website. You guys are not the only ones who offer IMAP or SMTP access. As others have said, this is what app specific passwords and modern authentication are for. With your current setup, users are forced to utilize their primary account password within their e-mail client. You're worried about password hijacking, but you're backing your users into a corner by doing this and giving the bad guys a password that is not tied to a specific system or application, but the master password that can be used for anything, including your website, which if accessed, would allow for a full account take over.

photo
1

Mr. Heinlein might be victim of a optics problem. Maybe we are used to a form of security theater which provides a sense of security even though it in reality not as secure as we think it is.

That being said: I don't think it is wise to sidetrack a community of confusion and frustration around the whole OTP/MFA topic.

I would really much like to be educated why the current Mailbox.org OTP config is as secure or more secure as outlook.com's or protonmail.com's or tutanota.com's security. I appreciate Mr. Heinlein's dedication to principles and security, I just cannot find the 'why' or 'how so' behind the reasoning. If you can elaborate, a video or podcast would be nice or a blog article.

----

After using Mailbox.org service for a few years ish and not seeing a significant change in the OTP topic here I feel getting a bit fatigued by it.

And to take a step back: my best experience is not typing in an OTP number or pressing a yubikey. It is FaceID or pressing [Approve] on my phone.