Welcome to the mailbox.org user forum!
 

sms would be nice, even if it isnt OTP. Also, I have had troubles with mailbox

6307218 shared this problem 3 years ago
Published

OTP is clunky. Using a camera on my phone to scan a code to get a number, to enter a number. Managing the OTP software, profiles and having no offline backup of QR codes on redhats app and having Google have all the QR codes instead on their app. Having the camera app running in the background etc.. Some people might be okay with it im sure.


I have tried twice to setup an account (trial account) and each time i am having difficulty in the password setup (it might be user error i admit). I enable OTP properly and yet on logging out and back into the account i am presented with only with a normal password entry ( which fails ). I also had a database error message when i created my first account :/


I will try again soon, but an SMS option is easier.


i have a suggestion, if you do use SMS it might be cool to somehow use the ability to send encrypted texts to SMSsecure,Signal,Silence etc.. users, that would remove the potential for harm for mobile email users using SMS dual authentication.


Thanks.


edit* obviously this form worked for submission but my login does not on the main page.

Comments (2)

photo
1

SMS based authentication is out of date and it is not recommended to use it anymore. See: NIST Special Publication 800-63B

"Out of band verification using SMS is deprecated, and will no longer be allowed in future releases of this guidance."


May be, encrypted SMS would be a little bit different, but I'm not sure because most problems mentioned in security publication like the SS7 problems will affect SMSsecure or Signal too.


We will not use our limited developer resources to implement deprecated features. We will go for U2F, it is very easy to use and high secure.


By the way: if you want to use a simple OTP without entering the code from your phone, we offer OTP with Yubikey. You have to plug the Yubikey and press one button to put the OTP value in the input form for login.

photo
1

U2F seems good up until the part the device has your finger print in a massive google/Apple/Microsoft database and you start to need it for everything ;) Still in concept the button version seems very good.

Btw i don't know if you got the second part of my question. I have created a new trial account twice now and enabled OTP. On logging out and logging in again the password is not accepted and no OTP prompt is delivered. And yet i am here writing a response ... so i know the password is correct. I will not use mailbox.org for now it is not working well with OTP settings for me, only when i create an account with just standard password in the settings.

Many thanks.

photo
1

Please read our FAQ article How to use two-factor-auth. There you find the description were you have to enter the OTP value.

photo
1

Thanks that helps at lot. However if i may make a suggestion not everyone is as technical to understand ( ok you could say RTFM ) but a simple description near the login user/password or sentance to describe "enter your PIN or user password "


The web form layout does nothing to highlight this other than a traditional username and password box.


Many thanks.

photo