Is multi factor authentication practical/feasible?

gene heskett gheskett at shentel.net
Mon Jul 4 20:23:49 UTC 2022 

On 7/4/22 15:32, Michael Peddemors wrote:
> It IS possible to use 2FA on Dovecot, but it would be better if 
> Dovecot supported options by Plugins to control what supported 2FA 
> options are supported in the CAPABILITIES string.  (Ongoing problem 
> getting more power in the handles of 3rd party plugins for Dovecot, 
> politics.. )
>
> HOWEVER, there are many ways if you 'roll your own' dovecot, eg can 
> apply patches to the build process.  We do this.
>
> Having said that, yes.. especially in North America this push by 
> insurance agents for 2FA, is driven by the RansomWare problems, and 
> gives an insurance company a way out..
>
> The only problem is, having looked at several of these insurance 
> companies forms, it is almost as if a o365 sales person wrote the 
> requirements.  And even IF you apply a 2FA, (eg a 2nd factor) you 
> might find that the insurance documents will not accept anything other 
> than what their legal department defined as 2FA..
>
> The biggest problem, is not the use of 2FA, it is making 2FA 
> transparent and simple enough for end users to adopt.  End users don't 
> want to mess with a second factor they have to add, or a hardware 
> dongle, or giving their cel# out..
>
Which, as long as I'm the one paying for the service, isn't going to 
happen. When they start paying my net bill, is when they can send me 
spam.  And not 1 millisecond before.
> And the industry has to come together, otherwise you will quickly find 
> out insurance companies ONLY accept 2FA from one or two closed source 
> companies..
>
> Which is why once again, I wish that Dovecot would take a leadership 
> role in this, and allow more 3rd party plugins to be available to 
> address this business need.
>
> (Oh, on the side, there ARE some ways you actually do 2FA 
> transparently, but of course the email client has to understand it.  
> But while you can do 'tricks' even in IMAP for 2FA, we need to think 
> that the same method should work for ALL communication channels which 
> utilize the same credentials, eg IMAP/SMTP/POP, even other things like 
> caldav/carddav etc)
>
>     -- Michael --
>
This seems to be a place where the ITEF (IETF?)has seriously dropped the 
ball. They do not well understand the chaos that will be created if THEY 
do nor set a cast iron std that even Redmond can follow or go home. I 
don't think we can scream that too loud if THEY don't get off the dime 
and do something toward setting a standard. That is, according to what I 
read, part of their job. So pester them until they do it. By whatever 
means is at your disposal.
> On 2022-06-27 07:53, justina colmena ~biz wrote:
>> I don't see why not.
>>
>> Dovecot and Postfix are entirely configurable to connect to and use 
>> any desired authentication mechanism through certain basic interfaces.
>>
>> The main problem I have experienced with MFA is a continual battle 
>> with extortion, "long cons," and thievery in law -- that the thieves 
>> are able to obtain one of the necessary factors for authentication -- 
>> a dongle or cell phone app or access to a cell phone number, or 
>> surveillance intelligence on calls or texts, whatnot -- whether by 
>> force or deception -- and then deny the targeted individual access to 
>> his or her own account.
>>
>> Later on, after the victim has given up, the thieves are able to 
>> obtain the other factors for authentication, and then proceed to 
>> social-engineer a false account recovery using the victim's stolen 
>> I.D. -- and then they often as not falsely report the victim to 
>> gullible or complicit police forces as the thief.
>>
>> If the victim cannot be successfully accused of theft in court, the 
>> "thieves in law" at work with inside help in government and law 
>> enforcement communities are able to cast identity theft as a mental 
>> illness akin to dissociative identity disorder -- to which the 
>> government offers nothing but a mental health "recovery" plan which 
>> does not include any actual recovery of the stolen assets in a 
>> person's name.
>>
>> * https://www.identitytheft.gov/
>> * https://www.robodeidentidad.gov/
>>
>> Casting identity theft as a mental health issue further enables 
>> thieves to take control of a victim's finances by possibly being 
>> appointed as guardians or payees in court. For the same reasons of 
>> legalized theft, extortion, and wrongful appropriation through state, 
>> local, military and federal court systems, individuals with similar 
>> names to known criminals are not allowed to hold significant assets 
>> in their names or possess firearms or obtain employment in sensitive 
>> positions in the United States.
>>
>> * https://en.wikipedia.org/wiki/Thief_in_law
>>
>> On Sunday, June 26, 2022 2:52:05 PM AKDT, Steve Dondley wrote:
>>> I have a small client whose insurance company insists they have MFA 
>>> for their email to be covered under some kind of data protection 
>>> policy. Currently I have the client set up on a Debian box for the 
>>> email server coupled with roundcube for webmail. Most the users just 
>>> use roundcube but some also use their mobile devices to check email. 
>>> Maybe one person uses outlook. There’s about 5 to 10 users total.
>>> I know roundcube offers a MFA plugin. But I don’t have the foggiest 
>>> idea how of an iPhone, Android device, or Outlook could all be set 
>>> up to work with MFA with a standard dovecot/postfix setup. Are there 
>>> any practical solutions for easily implementing MFA that could work 
>>> across multiple devices?
>>>
>>
>
>
>


Cheers, Gene Heskett.
-- 
"There are four boxes to be used in defense of liberty:
  soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
  - Louis D. Brandeis
Genes Web page <http://geneslinuxbox.net:6309/>

More information about the dovecot mailing list