Password recovery process and security flaw
Some days ago I was playing with OTP methods, tried a TOTP sha256, but it was not compatible with the iOS app I was using.
Anyway, technical support was fast and suggested me to start the process for password recovery, because it reset the OTP codes. Then you can normally log in with the new password.
There are three ways to reset the password of the account if you have OTP enabled:
- secondary email (if you have set one);
- phone number (if you have set one);
- receive an email on your mailbox.org if you still have IMAP access.
I used the third option because Thunderbird was working, since OTP + PIN is only for web access in mailbox.org.
And here is the problem:
If the email client will be compromised, password saved in plain text, notebook stolen, etc, someone could be able to reset the entire account just sending a recovery email.
If they have your password they can access via IMAP you emails and receive the recovery one.
This can sound like I'm paranoid.
But, since we and mailbox.org don't have control on the source code of the email clients, it's a security flaw.
We can't control if the network where we are is sniffed.
It should be better to add app passwords for single email clients or apps.
Or at least remove the third option and force the users to add a recovery option.
This is not so privacy oriented, because you force to give more personal info, but I prefer security with a little privacy cost.
Maybe add recovery codes for 2FA could be a viable option.
I'm putting ideas here, don't know if it's technically manageable or if I'm gone too far.