I have a small client whose insurance company insists they
have MFA for their email to be covered under some kind of data protection policy. Currently I have the client set up on a Debian box for the email server coupled with roundcube for webmail. Most the users just use roundcube but some also use their mobile devices to check email. Maybe one person uses outlook. There’s about 5 to 10 users total.
I know roundcube offers a MFA plugin. But I don’t have the
foggiest idea how of an iPhone, Android device, or Outlook could all be set up to work with MFA with a standard dovecot/postfix setup. Are there any practical solutions for easily implementing MFA that could work across multiple devices?
*Totally* theorizing here, but as far as I'm aware, the SMTP (AUTH), POP, and IMAP protocol definitions do not provide elbow room to make *two* rounds of authentication. (Ever pondered why the admin can require O365 users to "use 2FA", but users then are still allowed to create "application passwords", note plural and lack of standard password features like a limited lifetime for those?)
The two factor became necessary for the big 'moron' companies who decided to start using email addresses as logins so it was easier to track people, because in that situation you only have to try commonly used passwords or passwords used at a different application. If you stay with an username that is not published publicly, the commonly known password is still useless, since you do not have the username. I think for a small organization you can push this implementation at the insurance company. Unless of course they do not think ios and windows are not secure enough to store your username ;)