dovecot - Jul 2022 - Is multi factor authentication practical/feasible?

I have a small client whose insurance company insists they have MFA for their
email to be covered under some kind of data protection policy. Currently I have
the client set up on a Debian box for the email server coupled with roundcube
for webmail. Most the users just use roundcube but some also use their mobile
devices to check email. Maybe one person uses outlook. There?s about 5 to 10
users total.

I know roundcube offers a MFA plugin. But I don?t have the foggiest idea how of
an iPhone, Android device, or Outlook could all be set up to work with MFA with
a standard dovecot/postfix setup. Are there any practical solutions for easily
implementing MFA that could work across multiple devices?

On Sun, Jun 26, 2022 at 06:52:05PM -0400, Steve Dondley
wrote:
> I know roundcube offers a MFA plugin. But I don?t have the foggiest
> idea how of an iPhone, Android device, or Outlook could all be set up
> to work with MFA with a standard dovecot/postfix setup.
I'm currently vague on whether/how these can be integrated with
dovecot/postfix, but ...

> Are there any practical solutions for easily implementing MFA that
> could work across multiple devices?
... there exist several cross-platform hardware tokens:

- https://www.nitrokey.com/

- https://www.yubico.com

- https://www.nytimes.com/wirecutter/reviews/best-security-keys/


and time-based one-time passwords ("TOTP") are also cross-platform:

- https://en.wikipedia.org/wiki/Time-based_one-time_password

- https://en.wikipedia.org/wiki/FreeOTP

- https://en.wikipedia.org/wiki/Google_Authenticator

- https://en.wikipedia.org/wiki/LinOTP

- https://www.macrumors.com/2021/06/07/ios-15-built-in-password-authenticator/


Please update the thread if you make any progress.  Thanks!

Sam

I don't see why not.

Dovecot and Postfix are entirely configurable to connect to and use any 
desired authentication mechanism through certain basic interfaces.

The main problem I have experienced with MFA is a continual battle with 
extortion, "long cons," and thievery in law -- that the thieves are
able to
obtain one of the necessary factors for authentication -- a dongle or cell 
phone app or access to a cell phone number, or surveillance intelligence on 
calls or texts, whatnot -- whether by force or deception -- and then deny 
the targeted individual access to his or her own account.

Later on, after the victim has given up, the thieves are able to obtain the 
other factors for authentication, and then proceed to social-engineer a 
false account recovery using the victim's stolen I.D. -- and then they 
often as not falsely report the victim to gullible or complicit police 
forces as the thief.

If the victim cannot be successfully accused of theft in court, the 
"thieves in law" at work with inside help in government and law
enforcement
communities are able to cast identity theft as a mental illness akin to 
dissociative identity disorder -- to which the government offers nothing 
but a mental health "recovery" plan which does not include any actual 
recovery of the stolen assets in a person's name.

 * https://www.identitytheft.gov/
 * https://www.robodeidentidad.gov/

Casting identity theft as a mental health issue further enables thieves to 
take control of a victim's finances by possibly being appointed as 
guardians or payees in court. For the same reasons of legalized theft, 
extortion, and wrongful appropriation through state, local, military and 
federal court systems, individuals with similar names to known criminals 
are not allowed to hold significant assets in their names or possess 
firearms or obtain employment in sensitive positions in the United States.

 * https://en.wikipedia.org/wiki/Thief_in_law

On Sunday, June 26, 2022 2:52:05 PM AKDT, Steve Dondley
wrote:
> I have a small client whose insurance company insists they have 
> MFA for their email to be covered under some kind of data 
> protection policy. Currently I have the client set up on a 
> Debian box for the email server coupled with roundcube for 
> webmail. Most the users just use roundcube but some also use 
> their mobile devices to check email. Maybe one person uses 
> outlook. There?s about 5 to 10 users total. 
>
> I know roundcube offers a MFA plugin. But I don?t have the 
> foggiest idea how of an iPhone, Android device, or Outlook could 
> all be set up to work with MFA with a standard dovecot/postfix 
> setup. Are there any practical solutions for easily implementing 
> MFA that could work across multiple devices?
>

On 27.06.22 00:52, Steve Dondley wrote:
> I have a small client whose insurance company insists they have MFA for
their email to be covered under some kind of data protection policy. Currently I
have the client set up on a Debian box for the email server coupled with
roundcube for webmail. Most the users just use roundcube but some also use their
mobile devices to check email. Maybe one person uses outlook. There?s about 5 to
10 users total.
> 
> I know roundcube offers a MFA plugin. But I don?t have the foggiest idea
how of an iPhone, Android device, or Outlook could all be set up to work with
MFA with a standard dovecot/postfix setup. Are there any practical solutions for
easily implementing MFA that could work across multiple devices?
*Totally* theorizing here, but as far as I'm aware, the SMTP (AUTH), 
POP, and IMAP protocol definitions do not provide elbow room to make 
*two* rounds of authentication. (Ever pondered why the admin can require 
O365 users to "use 2FA", but users then are still allowed to create 
"application passwords", note plural and lack of standard password 
features like a limited lifetime for those?)

If I'm correct with that, and if you have to provide these protocols, 
there are three options:

1. Users need to roll their memorized password and an OTP from a token 
into *one* combined password they enter (seen that in some early 2FA 
implementations when CLI/GUI login procedures did not yet have support 
for multiple rounds built in)

2. User needs to enter his "password" (PIN, actually) into the *token*
to make it spit out a (valid) OTP, and *that* is then the "password"
he
sends to the servers (some people will insist that this "is not 2FA")

3. Servers/backends have a way to communicate with the token directly 
(ideally so that the user gets the password-to-enter via the token, say, 
per SMS, but for *that* to work out, you need that *every* piece of 
software used is willing and able to forward the info "user X wants to 
make an attempt at auth" *before* it also has the password at hand)

Good luck,
-- 
Jochen Bern
Systemingenieur

Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20220701/2941573d/attachment.bin>

It IS possible to use 2FA on Dovecot, but it would be better if Dovecot 
supported options by Plugins to control what supported 2FA options are 
supported in the CAPABILITIES string.  (Ongoing problem getting more 
power in the handles of 3rd party plugins for Dovecot, politics.. )

HOWEVER, there are many ways if you 'roll your own' dovecot, eg can 
apply patches to the build process.  We do this.

Having said that, yes.. especially in North America this push by 
insurance agents for 2FA, is driven by the RansomWare problems, and 
gives an insurance company a way out..

The only problem is, having looked at several of these insurance 
companies forms, it is almost as if a o365 sales person wrote the 
requirements.  And even IF you apply a 2FA, (eg a 2nd factor) you might 
find that the insurance documents will not accept anything other than 
what their legal department defined as 2FA..

The biggest problem, is not the use of 2FA, it is making 2FA transparent 
and simple enough for end users to adopt.  End users don't want to mess 
with a second factor they have to add, or a hardware dongle, or giving 
their cel# out..

And the industry has to come together, otherwise you will quickly find 
out insurance companies ONLY accept 2FA from one or two closed source 
companies..

Which is why once again, I wish that Dovecot would take a leadership 
role in this, and allow more 3rd party plugins to be available to 
address this business need.

(Oh, on the side, there ARE some ways you actually do 2FA transparently, 
but of course the email client has to understand it.  But while you can 
do 'tricks' even in IMAP for 2FA, we need to think that the same method 
should work for ALL communication channels which utilize the same 
credentials, eg IMAP/SMTP/POP, even other things like caldav/carddav etc)

	-- Michael --

On 2022-06-27 07:53, justina colmena ~biz wrote:
> I don't see why not.
> 
> Dovecot and Postfix are entirely configurable to connect to and use any 
> desired authentication mechanism through certain basic interfaces.
> 
> The main problem I have experienced with MFA is a continual battle with 
> extortion, "long cons," and thievery in law -- that the thieves
are able
> to obtain one of the necessary factors for authentication -- a dongle or 
> cell phone app or access to a cell phone number, or surveillance 
> intelligence on calls or texts, whatnot -- whether by force or deception 
> -- and then deny the targeted individual access to his or her own account.
> 
> Later on, after the victim has given up, the thieves are able to obtain 
> the other factors for authentication, and then proceed to 
> social-engineer a false account recovery using the victim's stolen I.D.
> -- and then they often as not falsely report the victim to gullible or 
> complicit police forces as the thief.
> 
> If the victim cannot be successfully accused of theft in court, the 
> "thieves in law" at work with inside help in government and law 
> enforcement communities are able to cast identity theft as a mental 
> illness akin to dissociative identity disorder -- to which the 
> government offers nothing but a mental health "recovery" plan
which does
> not include any actual recovery of the stolen assets in a person's
name.
> 
> * https://www.identitytheft.gov/
> * https://www.robodeidentidad.gov/
> 
> Casting identity theft as a mental health issue further enables thieves 
> to take control of a victim's finances by possibly being appointed as 
> guardians or payees in court. For the same reasons of legalized theft, 
> extortion, and wrongful appropriation through state, local, military and 
> federal court systems, individuals with similar names to known criminals 
> are not allowed to hold significant assets in their names or possess 
> firearms or obtain employment in sensitive positions in the United States.
> 
> * https://en.wikipedia.org/wiki/Thief_in_law
> 
> On Sunday, June 26, 2022 2:52:05 PM AKDT, Steve Dondley wrote:
>> I have a small client whose insurance company insists they have MFA 
>> for their email to be covered under some kind of data protection 
>> policy. Currently I have the client set up on a Debian box for the 
>> email server coupled with roundcube for webmail. Most the users just 
>> use roundcube but some also use their mobile devices to check email. 
>> Maybe one person uses outlook. There?s about 5 to 10 users total.
>> I know roundcube offers a MFA plugin. But I don?t have the foggiest 
>> idea how of an iPhone, Android device, or Outlook could all be set up 
>> to work with MFA with a standard dovecot/postfix setup. Are there any 
>> practical solutions for easily implementing MFA that could work across 
>> multiple devices?
>>
> 


-- 
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices
Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada

This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.