[Fnoord]

> Corrected, not intention to make a "tone", just pointing out that information is intentionally omitted.

Cheers.

It seems we agree on a lot of things (though I believe 6 char is a bit on the low end for a password).

> Yes, but that's not available in generally available email clients. There are OTP extensions to IMAP.

With regards to TOTP, if IMAP server can auth via PAM, then you can use a TOTP extension in PAM (OATH IIRC). It does mean the user cannot auto refresh their e-mail as they'd need to enter the TOTP after a timeout again. If you combine that with the fact that people often use TOTP client such as Google Authenticator on their smartphone, then it doesn't make their smartphone with e-mail client more secure. It would, however, allow a user to use a YubiKey as authentication method.