Is multi factor authentication practical/feasible?
Jochen Bern
Jochen.Bern at binect.de
Wed Jul 6 16:05:45 UTC 2022
On 01.07.22 20:02, Jochen Bern wrote:
> *Totally* theorizing here, but as far as I'm aware, the SMTP (AUTH),
> POP, and IMAP protocol definitions do not provide elbow room to make
> *two* rounds of authentication. (Ever pondered why the admin can require
> O365 users to "use 2FA", but users then are still allowed to create
> "application passwords", note plural and lack of standard password
> features like a limited lifetime for those?)
On 04.07.22 21:29, Michael Peddemors wrote:
> The only problem is, having looked at several of these insurance
> companies forms, it is almost as if a o365 sales person wrote the requirements.
On 04.07.22 22:23, gene heskett wrote:
> This seems to be a place where the ITEF (IETF?)has seriously dropped
> the ball. They do not well understand the chaos that will be created if
> THEY do nor set a cast iron std that even Redmond can follow or go home.
> I don't think we can scream that too loud if THEY don't get off the dime
> and do something toward setting a standard.
Speak of the devil ...
Today, our company got hit by the
48h-unless-your-admins-abort-it-for-NOW rolling outages O365 does as an
(un)friendly reminder that (what THEY call) "Basic Authentication" will
be disabled on 01-Oct:
https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online#re-enabling-and-opting-out-of-proactive-protection
Apparently, they already wrote and published standards on how the world
shall introduce "Modern Authentication" (OAuth 2.0) into protocols like
POP and IMAP:
https://docs.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth
As far as I can see from what I tested today (mainly switching my
Thunderbird from "Normal Password" to "OAuth"), Clients effectively
*have* to be "also a browser" (rendering the HTML for O365's login
prompts, accepting and sending user input, storing the OAuth token as a
HTTP cookie) to be able to do that. SMTP remains exempt from the
requirement for now, on the theory that printers and the like may want
to use it, and not be up to implementing the new stuff. (Otherwise, MS'
position can be summarized as "our clients work great, Thunderbird
succeded in implementing it, if your client doesn't, go nag the vendor".)
I wonder when our ticket systems apparently ceased handling e-mails (via
SMTP *and IMAP*) outside our office hours so as *not* to qualify for a
similar exception.
Please excuse me for the rest of the day, I need to incinerate a
neighbor-of-Nintendo-shaped effigy at today's company BBQ ...
Regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://dovecot.org/pipermail/dovecot/attachments/20220706/f036b970/attachment-0001.bin>
More information about the dovecot
mailing list