Concerns about "Two Factor Authentication" that need to be addressed.

webshaun
Posts: 244
Joined: Wed May 25, 2005 8:37 pm
Location: NJ
Contact:

Concerns about "Two Factor Authentication" that need to be addressed.

Postby webshaun » Sat Oct 08, 2016 5:08 pm

I'm thankful that ME has decided to enhance security with two factor authentication but I have some major concerns.

The implementation is so limited that it only protects the webmail interface. If a password is obtained by an unauthorized user, they only have to use another protocol to gain full access to the account. SMTP/ActiveSync/POP3/IMAP - all of your other interfaces must be two factor aware.

This is going to mean implementing "application passwords" and settings. If a user enables 2 factor, their primary account password shouldn't be available to use on protocols that do not support multi authentication. The system should create a long, complex "application password" that would be the only password accepted by these other protocols. That way there is at least a far less chance that a brute force attack would ever be successful.

There needs to be an option to challenge (Prompt on new IP address, or 30 days). Since I can't deauthorize IP's through webmail, I want an option to expire after 30 days.

Thank you for your attention to these serious concerns.
---
Shaun Rieman
Advanced Micro Technologies, LLC

MailEnable-Ian
Site Admin
Posts: 8466
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: Concerns about "Two Factor Authentication" that need to be addressed.

Postby MailEnable-Ian » Sun Oct 09, 2016 11:43 pm

Hi Shaun,

The principal motivator for 2FA was to protect SYSADMIN accounts now that platform management features are available within Web Administration. Unfortunately SMTP, IMAP, EAS, etc do not have 2FA SASL mechanisms built into their protocols (and clients do not support custom authentication providers with any consensus). A protocol specific password mechanism is the only practical way of providing enhanced security for these protocols (as you have said). We are working on an implementation for providing more security for those protocols.
Regards,

Ian Margarone
MailEnable Support

michaelsowa
Posts: 13
Joined: Tue Jun 21, 2005 2:05 pm
Location: Chester, UK

Re: Concerns about "Two Factor Authentication" that need to be addressed.

Postby michaelsowa » Wed Jul 12, 2017 11:56 pm

Has there been any further advancements on this? I also find two factor authentication pointless as its only for the web interface. I would like Application specific passwords like I have for my google account and gmail.
The Good Will out - Embrace

Who is online

Users browsing this forum: No registered users and 9 guests