On 7/6/22 12:09, Jochen Bern wrote:> On 01.07.22 20:02, Jochen Bern wrote: >> *Totally* theorizing here, but as far as I'm aware, the SMTP (AUTH), >> POP, and IMAP protocol definitions do not provide elbow room to make >> *two* rounds of authentication. (Ever pondered why the admin can >> require O365 users to "use 2FA", but users then are still allowed to >> create "application passwords", note plural and lack of standard >> password features like a limited lifetime for those?) > > > On 04.07.22 21:29, Michael Peddemors wrote: >> The only problem is, having looked at several of these insurance >> companies forms, it is almost as if a o365 sales person wrote the >> requirements. > > > On 04.07.22 22:23, gene heskett wrote: >> This seems to be a place where the ITEF (IETF?)has seriously dropped >> the ball. They do not well understand the chaos that will be created if >> THEY do nor set a cast iron std that even Redmond can follow or go home. >> I don't think we can scream that too loud if THEY don't get off the dime >> and do something toward setting a standard. > > > Speak of the devil ... > > Today, our company got hit by the > 48h-unless-your-admins-abort-it-for-NOW rolling outages O365 does as > an (un)friendly reminder that (what THEY call) "Basic Authentication" > will be disabled on 01-Oct: > > https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online#re-enabling-and-opting-out-of-proactive-protection > > > Apparently, they already wrote and published standards on how the > world shall introduce "Modern Authentication" (OAuth 2.0) into > protocols like POP and IMAP: > > https://docs.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth > > > As far as I can see from what I tested today (mainly switching my > Thunderbird from "Normal Password" to "OAuth"), Clients effectively > *have* to be "also a browser" (rendering the HTML for O365's login > prompts, accepting and sending user input, storing the OAuth token as > a HTTP cookie) to be able to do that. SMTP remains exempt from the > requirement for now, on the theory that printers and the like may want > to use it, and not be up to implementing the new stuff. (Otherwise, > MS' position can be summarized as "our clients work great, Thunderbird > succeded in implementing it, if your client doesn't, go nag the vendor".)And one more time we have allowed a sworn enemy to set the standard, shame on us.> > I wonder when our ticket systems apparently ceased handling e-mails > (via SMTP *and IMAP*) outside our office hours so as *not* to qualify > for a similar exception. > > Please excuse me for the rest of the day, I need to incinerate a > neighbor-of-Nintendo-shaped effigy at today's company BBQ ... > > Regards,Cheers, Gene Heskett. -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author, 1940) If we desire respect for the law, we must first make the law respectable. - Louis D. Brandeis Genes Web page <http://geneslinuxbox.net:6309/>
Michael Peddemors
2022-Jul-06 22:12 UTC
Is multi factor authentication practical/feasible?
On 2022-07-06 10:17, gene heskett wrote:>> As far as I can see from what I tested today (mainly switching my >> Thunderbird from "Normal Password" to "OAuth"), Clients effectively >> *have* to be "also a browser" (rendering the HTML for O365's login >> prompts, accepting and sending user input, storing the OAuth token as >> a HTTP cookie) to be able to do that. SMTP remains exempt from the >> requirement for now, on the theory that printers and the like may want >> to use it, and not be up to implementing the new stuff. (Otherwise, >> MS' position can be summarized as "our clients work great, Thunderbird >> succeded in implementing it, if your client doesn't, go nag the vendor".)> And one more time we have allowed a sworn enemy to set the standard, > shame on us.Getting a little off topic, but yes.. I believe Dovecot also sees the threat for all it's users, if authentication processes are forced in a direction that only favours the big three. Which is why I hope it gets more open with allowing 3rd parties to contribute to Dovecot as plugins, that support other methods of 2FA.. Sworn Enemy? Not if you have shares in your 401k/RRSP they aren't. These are smart business moves to consolidate the market for them, which in turn means stock prices go up. But it will be a terrible world, if interoperability between independent email providers, and the big three area threatened, or if they are forced to 'drink the koolaid'. But it is nice to see products like Thunderbird and other supporting alternative means of 2FA, just like to see Dovecot support them as well natively, or through plugins. Just my two bits.. -- "Catch the Magic of Linux..." ------------------------------------------------------------------------ Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. ------------------------------------------------------------------------ 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.