Is multi factor authentication practical/feasible?
Rick Romero
rick at havokmon.com
Fri Jul 1 21:28:57 UTC 2022
Quoting Jochen Bern <Jochen.Bern at binect.de>:
> On 27.06.22 00:52, Steve Dondley wrote:
>> I have a small client whose insurance company insists they have MFA
>> for their email to be covered under some kind of data protection
>> policy. Currently I have the client set up on a Debian box for the
>> email server coupled with roundcube for webmail. Most the users
>> just use roundcube but some also use their mobile devices to check
>> email. Maybe one person uses outlook. There’s about 5 to 10 users
>> total.
>>
>> I know roundcube offers a MFA plugin. But I don’t have the foggiest
>> idea how of an iPhone, Android device, or Outlook could all be set
>> up to work with MFA with a standard dovecot/postfix setup. Are
>> there any practical solutions for easily implementing MFA that
>> could work across multiple devices?
>
> *Totally* theorizing here, but as far as I'm aware, the SMTP (AUTH),
> POP, and IMAP protocol definitions do not provide elbow room to make
> *two* rounds of authentication. (Ever pondered why the admin can
> require O365 users to "use 2FA", but users then are still allowed to
> create "application passwords", note plural and lack of standard
> password features like a limited lifetime for those?)
I implemented PrivacyIdea as a backend auth mechanism for dovecot once
in the past.
I honestly don't recall the details, and I wasn't sure how to do it
dynamically with multiple domans, but one domain worked fine. It was
due to the PI 'realm' separator being @, and using full email
addresses for the username.
I believed I used OTP for the user's webmail password and 'device
password' for imap/smtp.
Rick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20220701/c6cc5c65/attachment.htm>
More information about the dovecot
mailing list