| > I don't like such tone. Corrected, not intention to make a "tone", just pointing out that information is intentionally omitted. > Its perfectly possible to get IMAP to work with TOTP Yes, but that's not available in generally available email clients. There are OTP extensions to IMAP. > I don't trust webmail at all because I don't audit the JavaScript This. We are working on one that uses no JS or just conditinaly for enhancements. > Then again, I also don't trust e-mail authenticity because the protocol is broken by design, and nobody has come up with a suitable alternative. Glad I am not the only one thinking that =) > A lot of people are using a weak password as first factor, btw. Do you protect against such? No, we set a minimum 6 char password. However we think it is less secure to have a complex one you canot remember than one of average strength. |
Cheers.
It seems we agree on a lot of things (though I believe 6 char is a bit on the low end for a password).
> Yes, but that's not available in generally available email clients. There are OTP extensions to IMAP.
With regards to TOTP, if IMAP server can auth via PAM, then you can use a TOTP extension in PAM (OATH IIRC). It does mean the user cannot auto refresh their e-mail as they'd need to enter the TOTP after a timeout again. If you combine that with the fact that people often use TOTP client such as Google Authenticator on their smartphone, then it doesn't make their smartphone with e-mail client more secure. It would, however, allow a user to use a YubiKey as authentication method.