dovecot - Jul 2022 - Is multi factor authentication practical/feasible?

Quoting Jochen Bern <Jochen.Bern at binect.de>:
> On 27.06.22 00:52, Steve Dondley wrote:
>> I have a small client whose insurance company insists they have MFA  
>> for their email to be covered under some kind of data protection  
>> policy. Currently I have the client set up on a Debian box for the  
>> email server coupled with roundcube for webmail. Most the users  
>> just use roundcube but some also use their mobile devices to check  
>> email. Maybe one person uses outlook. There?s about 5 to 10 users  
>> total.
>>
>> I know roundcube offers a MFA plugin. But I don?t have the foggiest  
>> idea how of an iPhone, Android device, or Outlook could all be set  
>> up to work with MFA with a standard dovecot/postfix setup. Are  
>> there any practical solutions for easily implementing MFA that  
>> could work across multiple devices?
>
> *Totally* theorizing here, but as far as I'm aware, the SMTP (AUTH),  
> POP, and IMAP protocol definitions do not provide elbow room to make  
> *two* rounds of authentication. (Ever pondered why the admin can  
> require O365 users to "use 2FA", but users then are still allowed
to
> create "application passwords", note plural and lack of standard
> password features like a limited lifetime for those?)
I implemented PrivacyIdea as a backend auth mechanism for dovecot once  
in the past.

I honestly don't recall the details, and I wasn't sure how to do it  
dynamically with multiple domans, but one domain worked fine.? It was  
due to the PI 'realm' separator being @, and using full email  
addresses for the username.?
I believed I used OTP for the user's webmail password and 'device  
password' for imap/smtp.

Rick
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20220701/c6cc5c65/attachment.htm>

> 
> 		I have a small client whose insurance company insists they
> have MFA for their email to be covered under some kind of data
> protection policy. Currently I have the client set up on a Debian box
> for the email server coupled with roundcube for webmail. Most the users
> just use roundcube but some also use their mobile devices to check
> email. Maybe one person uses outlook. There?s about 5 to 10 users total.
> 
> 		I know roundcube offers a MFA plugin. But I don?t have the
> foggiest idea how of an iPhone, Android device, or Outlook could all be
> set up to work with MFA with a standard dovecot/postfix setup. Are there
> any practical solutions for easily implementing MFA that could work
> across multiple devices?
> 
> 	*Totally* theorizing here, but as far as I'm aware, the SMTP
> (AUTH), POP, and IMAP protocol definitions do not provide elbow room to
> make *two* rounds of authentication. (Ever pondered why the admin can
> require O365 users to "use 2FA", but users then are still allowed
to
> create "application passwords", note plural and lack of standard
> password features like a limited lifetime for those?)
> 
The two factor became necessary for the big 'moron' companies who
decided to start using email addresses as logins so it was easier to track
people, because in that situation you only have to try commonly used passwords
or passwords used at a different application.
If you stay with an username that is not published publicly, the commonly known
password is still useless, since you do not have the username.
I think for a small organization you can push this implementation at the
insurance company. Unless of course they do not think ios and windows are not
secure enough to store your username ;)