[Fnoord]

> You have been mislead by Posteo intentionally it seems.

I don't like such tone.

TL;DR I didn't verify how Posteo's TOTP works.

FWIW, I've never used Posteo; I have some German friends who are happy with it. I'm staying local, using Soverin as my primary e-mail provider.

The reason for using a token for authorization is that the user can revoke the token (e.g. when device is lost), instead of having to change their password. These are indeed not TOTP because they are not time-based, nor do they depend on another factor (ie. password); they replace that factor. It is indeed dishonest to call such MFA/2FA.

Its perfectly possible to get IMAP to work with TOTP though. For example, you can use PAM to authenticate, and PAM can use TOTP or FIDO2 (ignoring the issues with PAM every major OS barring OpenBSD uses it). We use something similar for OpenVPN because of requirement of ISO 27k1.

I don't trust webmail at all because I don't audit the JavaScript. Nor can I verify that every visit. Same issue with OpenPGP.js. Then again, I also don't trust e-mail authenticity because the protocol is broken by design, and nobody has come up with a suitable alternative. Which is why I wouldn't pay much for it; as I would not and do not use it much, since its fundamentally broken. For example, at rest and at transit there is not enough data integrity/authenticity.

A lot of people are using a weak password as first factor, btw. Do you protect against such?

[dejan]

> I don't like such tone.

Corrected, not intention to make a "tone", just pointing out that information is intentionally omitted.

> Its perfectly possible to get IMAP to work with TOTP

Yes, but that's not available in generally available email clients. There are OTP extensions to IMAP.

> I don't trust webmail at all because I don't audit the JavaScript

This. We are working on one that uses no JS or just conditinaly for enhancements.

> Then again, I also don't trust e-mail authenticity because the protocol is broken by design, and nobody has come up with a suitable alternative.

Glad I am not the only one thinking that =)

> A lot of people are using a weak password as first factor, btw. Do you protect against such?

No, we set a minimum 6 char password. However we think it is less secure to have a complex one you canot remember than one of average strength.

[Fnoord]

> Corrected, not intention to make a "tone", just pointing out that information is intentionally omitted.

Cheers.

It seems we agree on a lot of things (though I believe 6 char is a bit on the low end for a password).

> Yes, but that's not available in generally available email clients. There are OTP extensions to IMAP.

With regards to TOTP, if IMAP server can auth via PAM, then you can use a TOTP extension in PAM (OATH IIRC). It does mean the user cannot auto refresh their e-mail as they'd need to enter the TOTP after a timeout again. If you combine that with the fact that people often use TOTP client such as Google Authenticator on their smartphone, then it doesn't make their smartphone with e-mail client more secure. It would, however, allow a user to use a YubiKey as authentication method.