Is multi factor authentication practical/feasible?

Jochen Bern Jochen.Bern at binect.de
Wed Jul 6 16:05:45 UTC 2022


On 01.07.22 20:02, Jochen Bern wrote:
> *Totally* theorizing here, but as far as I'm aware, the SMTP (AUTH), 
> POP, and IMAP protocol definitions do not provide elbow room to make 
> *two* rounds of authentication. (Ever pondered why the admin can require 
> O365 users to "use 2FA", but users then are still allowed to create 
> "application passwords", note plural and lack of standard password 
> features like a limited lifetime for those?)


On 04.07.22 21:29, Michael Peddemors wrote:
> The only problem is, having looked at several of these insurance
> companies forms, it is almost as if a o365 sales person wrote the requirements.


On 04.07.22 22:23, gene heskett wrote:
> This seems to be a place where the ITEF (IETF?)has seriously dropped
> the ball. They do not well understand the chaos that will be created if
> THEY do nor set a cast iron std that even Redmond can follow or go home.
> I don't think we can scream that too loud if THEY don't get off the dime
> and do something toward setting a standard.


Speak of the devil ...

Today, our company got hit by the 
48h-unless-your-admins-abort-it-for-NOW rolling outages O365 does as an 
(un)friendly reminder that (what THEY call) "Basic Authentication" will 
be disabled on 01-Oct:

https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online#re-enabling-and-opting-out-of-proactive-protection

Apparently, they already wrote and published standards on how the world 
shall introduce "Modern Authentication" (OAuth 2.0) into protocols like 
POP and IMAP:

https://docs.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth

As far as I can see from what I tested today (mainly switching my 
Thunderbird from "Normal Password" to "OAuth"), Clients effectively 
*have* to be "also a browser" (rendering the HTML for O365's login 
prompts, accepting and sending user input, storing the OAuth token as a 
HTTP cookie) to be able to do that. SMTP remains exempt from the 
requirement for now, on the theory that printers and the like may want 
to use it, and not be up to implementing the new stuff. (Otherwise, MS' 
position can be summarized as "our clients work great, Thunderbird 
succeded in implementing it, if your client doesn't, go nag the vendor".)

I wonder when our ticket systems apparently ceased handling e-mails (via 
SMTP *and IMAP*) outside our office hours so as *not* to qualify for a 
similar exception.

Please excuse me for the rest of the day, I need to incinerate a 
neighbor-of-Nintendo-shaped effigy at today's company BBQ ...

Regards,
-- 
Jochen Bern
Systemingenieur

Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://dovecot.org/pipermail/dovecot/attachments/20220706/f036b970/attachment-0001.bin>


More information about the dovecot mailing list