[k_roy]

This is a bit of an interesting take from: https://www.migadu.com/procon/

"We could enable 2FA on the webmail, but IMAP/POP/SMTP accesses remain unprotected which beats the purpose. We are working on solution here which will allow sand-boxing a username/password pair to a webmail use only."

That's an incredibly misguided sentiment

[dejan]

Why?

[k_roy]

Because it's the difference between someone gaining access to a single mailbox versus the whole config.

[dejan]

I think you're reading that wrong. It's an issue with the protocol. IMAP/SMTP as implemented in most clients do not support 2FA. You can add 2FA on your own on the webmail, but you could still circumvent it by using the protocol directly. It's not a Migadu-specific thing.