> > I have a small client whose insurance company insists they > have MFA for their email to be covered under some kind of data > protection policy. Currently I have the client set up on a Debian box > for the email server coupled with roundcube for webmail. Most the users > just use roundcube but some also use their mobile devices to check > email. Maybe one person uses outlook. There?s about 5 to 10 users total. > > I know roundcube offers a MFA plugin. But I don?t have the > foggiest idea how of an iPhone, Android device, or Outlook could all be > set up to work with MFA with a standard dovecot/postfix setup. Are there > any practical solutions for easily implementing MFA that could work > across multiple devices? > > *Totally* theorizing here, but as far as I'm aware, the SMTP > (AUTH), POP, and IMAP protocol definitions do not provide elbow room to > make *two* rounds of authentication. (Ever pondered why the admin can > require O365 users to "use 2FA", but users then are still allowed to > create "application passwords", note plural and lack of standard > password features like a limited lifetime for those?) >The two factor became necessary for the big 'moron' companies who decided to start using email addresses as logins so it was easier to track people, because in that situation you only have to try commonly used passwords or passwords used at a different application. If you stay with an username that is not published publicly, the commonly known password is still useless, since you do not have the username. I think for a small organization you can push this implementation at the insurance company. Unless of course they do not think ios and windows are not secure enough to store your username ;)
On 7/2/22 10:15, Marc wrote:> The two factor became necessary for the big 'moron' companies who > decided to start using email addresses as logins so it was easier to > track people, because in that situation you only have to try commonly > used passwords or passwords used at a different application.Maybe some companies are using e-mail addresses for tracking. But I can tell you that most times users want to use their e-mail address for login because that's what they easily memorize.> If you stay with an username that is not published publicly, the > commonly known password is still useless, since you do not have the > username.Whether that protects you depends on your threat model. In my world I regard the confidentiality of usernames to be near zero. And I'm in the camp who recommends not to use usernames based on person names (unguessable or even completely random).> Unless of course they do not think ios and windows are not secure > enough to store your username ;)Indeed my threat model includes breaches concerning the local storage of all sort of MUAs. Unfortunately there's currently no real solution for this. Ciao, Michael.
justina colmena ~biz
2022-Jul-02 15:32 UTC
Is multi factor authentication practical/feasible?
Guns are banned and there's a night guard with a Big Mag flashlight or a billy club walking the beat around the bank, kicking a homeless man who fell asleep on the sidewalk to tell him wake up or your pocket's going be picked clean by morning, because you've got too much money in your name for your own good anyways, if you've got any teeth left in your mouth or can afford the dentist's bill for that. On Saturday, July 2, 2022 12:15:09 AM AKDT, Marc wrote:>> I have a small client whose insurance company insists they >> have MFA for their email to be covered under some kind of data >> protection policy. Currently I have the client set up on a Debian box >> for the email server coupled with roundcube for webmail. Most the users >> just use roundcube but some also use their mobile devices to check ... > > The two factor became necessary for the big 'moron' companies > who decided to start using email addresses as logins so it was > easier to track people, because in that situation you only have > to try commonly used passwords or passwords used at a different > application. > If you stay with an username that is not published publicly, > the commonly known password is still useless, since you do not > have the username. > I think for a small organization you can push this > implementation at the insurance company. Unless of course they > do not think ios and windows are not secure enough to store your > username ;) > > > >