|
|
|
|
|
|
by dejan
2041 days ago
|
|
|
Posteo is not very transparent there. They do not mention SMTP/IMAP/POP access on their 2FA docs. 2FA is not supported by any email client for generic IMAP/POP/SMTP[1]. Just think of that experience, providing a token on every sync or sending. This is why we sometimes take such a harsh stand in our copy. You need to tell users about these things and not throw marketing BS counting on information asymmetry. We (Migadu) do support TOTP + Yubikey on the admin account. We also support TOTP on the webmail just like Posteo does. However, we call that B.S. ourselves and are working on a real solution for mailboxes. If you do setup 2FA on Posteo, how is your e.g. IMAP access protected? They most likely offer an app-specific password which is very different than 2FA. We do those too, they are called _identities_ in our context. We have a long and bumpy road behind and ahead of us, but one thing we made clear on day one is that we will not B.S. users. Email is not perfect, it has serious conceptual issues due its age, but one should not go about it as "there we fixed it!" (Hey hey.com!) [1] https://security.stackexchange.com/questions/173807/does-ima... |
|
|
I don't like such tone.
TL;DR I didn't verify how Posteo's TOTP works.
FWIW, I've never used Posteo; I have some German friends who are happy with it. I'm staying local, using Soverin as my primary e-mail provider.
The reason for using a token for authorization is that the user can revoke the token (e.g. when device is lost), instead of having to change their password. These are indeed not TOTP because they are not time-based, nor do they depend on another factor (ie. password); they replace that factor. It is indeed dishonest to call such MFA/2FA.
Its perfectly possible to get IMAP to work with TOTP though. For example, you can use PAM to authenticate, and PAM can use TOTP or FIDO2 (ignoring the issues with PAM every major OS barring OpenBSD uses it). We use something similar for OpenVPN because of requirement of ISO 27k1.
I don't trust webmail at all because I don't audit the JavaScript. Nor can I verify that every visit. Same issue with OpenPGP.js. Then again, I also don't trust e-mail authenticity because the protocol is broken by design, and nobody has come up with a suitable alternative. Which is why I wouldn't pay much for it; as I would not and do not use it much, since its fundamentally broken. For example, at rest and at transit there is not enough data integrity/authenticity.
A lot of people are using a weak password as first factor, btw. Do you protect against such?