Welcome to the mailbox.org user forum!
 

Request - 2FA on all protocols

4217883 shared this idea 10 months ago
Proposed

Hi,


I'm a big fan of Mailbox.org and a security nerd.

I know you probably get a lot of questions around 2FA, sorry to bother with another one.


It makes me nervous that 2FA is only on HTTPS and not on the other protocols like IMAP. It seems if someone got my password, 2FA wouldn't really do anything in this case. Assuming the attacker was smart enough to try my password against all protocols 2FA wouldn't stop them.


Is it possible to add it to the road map to add 2FA protection to all email protocols?


Thanks,

Jon

Comments (3)

photo
1

There is no way to implement this. There isn’t a standard way for clients to prompt for a second factor. What other providers do is to issues clients app-specific passwords . This is basically a dedicated password per client that gives them access over one specific protocol so the main password and access to the 2FA-protected webmail and account settings.

photo
1

Agree with the answer from "DA".

photo
1

If that is really the only way, than the request would be if we will ever be possible to generate such app-specific passwords. Or a similar mechanism that would also bind a generated app-specific password to a certain context.

A while back users were required to generate their own app-specific passwords in Microsoft or Gmail accounts. You could use password (for example outlook) on different computers / devices. Nowadays the generation of such passwords is more automated and users are not even asked to copy past those passwords anymore. Different devices and applications have started to support 2FA (possibly with app-specific passwords generation under the hood). I am even doubtful if one could extract such a password and re-use it in a different context. I get the idea that Microsoft and Google (example) would somehow detect the use of the same password from a different context.

Leaving other parties for what they are and circling back to the issue at hand in Mailbox.org: I agree with the topic starter that there is no way to protect nor detect current logins on the IMAP protocol from untrusted devices. The next layer of defense would be PGP/MailGuard which I think should not be the next layer.

As the topic starter asked, I would like to know if there is any future of Mailbox.org extra protecting authentication on the IMAP/other protocols. Any updates considering protection or detection would be helpful.

Having a generated password per device and seeing from where it logs in and even possible linking it to the device and prevent the re-use would help. (Obviously any other implementation towards multi-factor would also be helpful; just thinking along with the stated technical limitations.)