Strategies for protecting IMAP (e.g. MFA)

Sam Kuper sampablokuper at posteo.net
Sun Nov 14 13:17:13 UTC 2021


On Sat, Nov 13, 2021 at 03:34:12PM -0800, lists wrote:
> [..] Now Yubikey at least has my attention. But people often leave the
> key plugged into their notebook. Very true with the Google equivalent
> which I have heard from Google employees. The keys themselves aren't
> exactly transferable, but when you have physical access then all bets
> are off.

Yubikeys are available in several form factors.  Not all of them can
readily be left plugged in - at least, not into a portable device.  The
larger Yubikeys stick out too far and would likely fall out or get
broken if left plugged in.

So, if you don't want laptop users leaving their keys in their devices,
give them larger format Yubikeys.  (Or Nitrokeys, see below.)


> If someone fool actually paid me to be sysadmin, I would use a
> Yubikey. [..]

Yubikeys are decent in many respects, but not entirely unproblematic:

https://en.wikipedia.org/w/index.php?title=YubiKey&oldid=1053509936#Security_issues

For portable hardware security tokens with a better security track
record (to my knowledge, anyway), see:

https://en.wikipedia.org/wiki/Nitrokey

https://www.nitrokey.com/


Also possibly of interest:

https://www.gniibe.org/category/fst-01.html

-- 
A: When it messes up the order in which people normally read text.
Q: When is top-posting a bad thing?

()  ASCII ribbon campaign. Please avoid HTML emails & proprietary
/\  file formats. (Why? See e.g. https://v.gd/jrmGbS ). Thank you.


More information about the dovecot mailing list