Is multi factor authentication practical/feasible?
gene heskett
gheskett at shentel.net
Wed Jul 6 17:17:43 UTC 2022
On 7/6/22 12:09, Jochen Bern wrote:
> On 01.07.22 20:02, Jochen Bern wrote:
>> *Totally* theorizing here, but as far as I'm aware, the SMTP (AUTH),
>> POP, and IMAP protocol definitions do not provide elbow room to make
>> *two* rounds of authentication. (Ever pondered why the admin can
>> require O365 users to "use 2FA", but users then are still allowed to
>> create "application passwords", note plural and lack of standard
>> password features like a limited lifetime for those?)
>
>
> On 04.07.22 21:29, Michael Peddemors wrote:
>> The only problem is, having looked at several of these insurance
>> companies forms, it is almost as if a o365 sales person wrote the
>> requirements.
>
>
> On 04.07.22 22:23, gene heskett wrote:
>> This seems to be a place where the ITEF (IETF?)has seriously dropped
>> the ball. They do not well understand the chaos that will be created if
>> THEY do nor set a cast iron std that even Redmond can follow or go home.
>> I don't think we can scream that too loud if THEY don't get off the dime
>> and do something toward setting a standard.
>
>
> Speak of the devil ...
>
> Today, our company got hit by the
> 48h-unless-your-admins-abort-it-for-NOW rolling outages O365 does as
> an (un)friendly reminder that (what THEY call) "Basic Authentication"
> will be disabled on 01-Oct:
>
> https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online#re-enabling-and-opting-out-of-proactive-protection
>
>
> Apparently, they already wrote and published standards on how the
> world shall introduce "Modern Authentication" (OAuth 2.0) into
> protocols like POP and IMAP:
>
> https://docs.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth
>
>
> As far as I can see from what I tested today (mainly switching my
> Thunderbird from "Normal Password" to "OAuth"), Clients effectively
> *have* to be "also a browser" (rendering the HTML for O365's login
> prompts, accepting and sending user input, storing the OAuth token as
> a HTTP cookie) to be able to do that. SMTP remains exempt from the
> requirement for now, on the theory that printers and the like may want
> to use it, and not be up to implementing the new stuff. (Otherwise,
> MS' position can be summarized as "our clients work great, Thunderbird
> succeded in implementing it, if your client doesn't, go nag the vendor".)
And one more time we have allowed a sworn enemy to set the standard,
shame on us.
>
> I wonder when our ticket systems apparently ceased handling e-mails
> (via SMTP *and IMAP*) outside our office hours so as *not* to qualify
> for a similar exception.
>
> Please excuse me for the rest of the day, I need to incinerate a
> neighbor-of-Nintendo-shaped effigy at today's company BBQ ...
>
> Regards,
Cheers, Gene Heskett.
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
- Louis D. Brandeis
Genes Web page <http://geneslinuxbox.net:6309/>
More information about the dovecot
mailing list