Is multi factor authentication practical/feasible?

John Gateley dovecot at jfoo.net
Sun Jul 3 13:31:19 UTC 2022



On 7/1/22 1:02 PM, Jochen Bern wrote:
> On 27.06.22 00:52, Steve Dondley wrote:
>> I have a small client whose insurance company insists they have MFA 
>> for their email to be covered under some kind of data protection policy.
> *Totally* theorizing here, but as far as I'm aware, the SMTP (AUTH), 
> POP, and IMAP protocol definitions do not provide elbow room to make 
> *two* rounds of authentication.

What Jochen said.

The protocols were designed long before SAML and OIDC. SAML/OIDC give 
you more control over authn/z
and allow easily adding in MFA or other different types of auth. To do 
this right, you'd need to extend
the protocol to allow OIDC or SAML.

As some have noted, you can shoehorn it in. But I would not recommend 
doing that. Adding security
as a bolt-on ad hoc usually has holes.

But if you really wanted to do this, I'd suggest something like:

  * Extend dovecot to use an OIDC access token instead of a
    username/password.
  * Set up an IDP with your connection, defining credentials as well as
    MFA info
  * Set up the IDP with an API - this is the API for generating the
    access token used by dovecot
  * Extend Thunderbird or your mail app to use the IDP to get the access
    token, then use that to connect to Dovecot.

So this sounds kind of cool to me. If you want a little help setting it 
up with Auth0, ping me off list.


John

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20220703/5e53e053/attachment.htm>


More information about the dovecot mailing list