Is multi factor authentication practical/feasible?

Michael Ströder michael at
Sat Jul 2 09:58:48 UTC 2022

On 7/2/22 10:15, Marc wrote:
> The two factor became necessary for the big 'moron' companies who
> decided to start using email addresses as logins so it was easier to
> track people, because in that situation you only have to try commonly
> used passwords or passwords used at a different application.
Maybe some companies are using e-mail addresses for tracking. But I can 
tell you that most times users want to use their e-mail address for 
login because that's what they easily memorize.

> If you stay with an username that is not published publicly, the 
> commonly known password is still useless, since you do not have the 
> username.
Whether that protects you depends on your threat model.

In my world I regard the confidentiality of usernames to be near zero. 
And I'm in the camp who recommends not to use usernames based on person 
names (unguessable or even completely random).

> Unless of course they do not think ios and windows are not secure
> enough to store your username ;)

Indeed my threat model includes breaches concerning the local storage of 
all sort of MUAs. Unfortunately there's currently no real solution for this.

Ciao, Michael.

More information about the dovecot mailing list