Michael Peddemors
2022-Jul-06 22:12 UTC
Is multi factor authentication practical/feasible?
On 2022-07-06 10:17, gene heskett wrote:>> As far as I can see from what I tested today (mainly switching my >> Thunderbird from "Normal Password" to "OAuth"), Clients effectively >> *have* to be "also a browser" (rendering the HTML for O365's login >> prompts, accepting and sending user input, storing the OAuth token as >> a HTTP cookie) to be able to do that. SMTP remains exempt from the >> requirement for now, on the theory that printers and the like may want >> to use it, and not be up to implementing the new stuff. (Otherwise, >> MS' position can be summarized as "our clients work great, Thunderbird >> succeded in implementing it, if your client doesn't, go nag the vendor".)> And one more time we have allowed a sworn enemy to set the standard, > shame on us.Getting a little off topic, but yes.. I believe Dovecot also sees the threat for all it's users, if authentication processes are forced in a direction that only favours the big three. Which is why I hope it gets more open with allowing 3rd parties to contribute to Dovecot as plugins, that support other methods of 2FA.. Sworn Enemy? Not if you have shares in your 401k/RRSP they aren't. These are smart business moves to consolidate the market for them, which in turn means stock prices go up. But it will be a terrible world, if interoperability between independent email providers, and the big three area threatened, or if they are forced to 'drink the koolaid'. But it is nice to see products like Thunderbird and other supporting alternative means of 2FA, just like to see Dovecot support them as well natively, or through plugins. Just my two bits.. -- "Catch the Magic of Linux..." ------------------------------------------------------------------------ Michael Peddemors, President/CEO LinuxMagic Inc. Visit us at http://www.linuxmagic.com @linuxmagic A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd. ------------------------------------------------------------------------ 604-682-0300 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
On 7/6/22 18:15, Michael Peddemors wrote:> On 2022-07-06 10:17, gene heskett wrote: >>> As far as I can see from what I tested today (mainly switching my >>> Thunderbird from "Normal Password" to "OAuth"), Clients effectively >>> *have* to be "also a browser" (rendering the HTML for O365's login >>> prompts, accepting and sending user input, storing the OAuth token >>> as a HTTP cookie) to be able to do that. SMTP remains exempt from >>> the requirement for now, on the theory that printers and the like >>> may want to use it, and not be up to implementing the new stuff. >>> (Otherwise, MS' position can be summarized as "our clients work >>> great, Thunderbird succeded in implementing it, if your client >>> doesn't, go nag the vendor".) > > >> And one more time we have allowed a sworn enemy to set the standard, >> shame on us. > > Getting a little off topic, but yes.. I believe Dovecot also sees the > threat for all it's users, if authentication processes are forced in a > direction that only favours the big three. > > Which is why I hope it gets more open with allowing 3rd parties to > contribute to Dovecot as plugins, that support other methods of 2FA.. > > Sworn Enemy? Not if you have shares in your 401k/RRSP they aren't. > These are smart business moves to consolidate the market for them, > which in turn means stock prices go up. >Yes, many years ago, what little I knew about windows nt-3.51 led me to believe it had a timer set for a random number in the 2 to 4 year category, that deleted its main dll when the timer expired, I put the drive in a different machine and dug around in it after it failed in the night, and the failure was costing us around 5g's a day in airing the wrong commercials for our market area. I did find a suspicious shell script, but didn't find the timer. So time was of the? essence and since it was a CBS supplied machine I had no access to its license? number so the support person refused to supply the now missing library and? called me a pirate several times during our conversation. To this day I may be forced to buy a windows license as part of the sale, but the windows install will be wiped when it arrives on my property. So I either build my own, or buy used w/o a hard drive and sticker. Old Dells, with linux installed have a lot of miles left in them. So other than that, we're on the same page.> But it will be a terrible world, if interoperability between > independent email providers, and the big three area threatened, or if > they are forced to 'drink the koolaid'. >I can't drink the koolaid, way too much sugar and I'm a DM-II for nearly 40 years.> But it is nice to see products like Thunderbird and other supporting > alternative means of 2FA, just like to see Dovecot support them as > well natively, or through plugins.Since my own net provider's mail server is dovecot, and so far it Just Works, I am happy but concerned because being the only game on this ball of rock and water is BG's dream.> > Just my two bits.. >Mine too. Take care and stay well, Michael Peddemors Cheers, Gene Heskett. -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author, 1940) If we desire respect for the law, we must first make the law respectable. - Louis D. Brandeis Genes Web page <http://geneslinuxbox.net:6309/>
> On 07/07/2022 01:12 EEST Michael Peddemors <michael at linuxmagic.com> wrote: > > > On 2022-07-06 10:17, gene heskett wrote: > >> As far as I can see from what I tested today (mainly switching my > >> Thunderbird from "Normal Password" to "OAuth"), Clients effectively > >> *have* to be "also a browser" (rendering the HTML for O365's login > >> prompts, accepting and sending user input, storing the OAuth token as > >> a HTTP cookie) to be able to do that. SMTP remains exempt from the > >> requirement for now, on the theory that printers and the like may want > >> to use it, and not be up to implementing the new stuff. (Otherwise, > >> MS' position can be summarized as "our clients work great, Thunderbird > >> succeded in implementing it, if your client doesn't, go nag the vendor".) > > > > And one more time we have allowed a sworn enemy to set the standard, > > shame on us. > > Getting a little off topic, but yes.. I believe Dovecot also sees the > threat for all it's users, if authentication processes are forced in a > direction that only favours the big three. > > Which is why I hope it gets more open with allowing 3rd parties to > contribute to Dovecot as plugins, that support other methods of 2FA.. > > Sworn Enemy? Not if you have shares in your 401k/RRSP they aren't. > These are smart business moves to consolidate the market for them, which > in turn means stock prices go up. > > But it will be a terrible world, if interoperability between independent > email providers, and the big three area threatened, or if they are > forced to 'drink the koolaid'. > > But it is nice to see products like Thunderbird and other supporting > alternative means of 2FA, just like to see Dovecot support them as well > natively, or through plugins. > > Just my two bits.. > >FWIW I think OAuth2 is the modern way to do actually MFA authentication. There is some progress in Mozilla world (and hopefully other mail clients) to allow OAuth2 to work outside the "big three" circle. Mostly this is *client development issue*, the server-side already mostly supports all the bits you need to roll your own MFA with OAuth2 using off the shelf components. No need to pay microsoft or google. Alternate to OAuth2, which works pretty well today, is to use device passwords. Also, Michael's code that we would love us to merge, will possibly some day be merged, and hopefully he will provide the client-side of it to benefit the community too? Aki