Is multi factor authentication practical/feasible?

gene heskett gheskett at shentel.net
Wed Jul 6 23:29:49 UTC 2022


On 7/6/22 18:15, Michael Peddemors wrote:
> On 2022-07-06 10:17, gene heskett wrote:
>>> As far as I can see from what I tested today (mainly switching my 
>>> Thunderbird from "Normal Password" to "OAuth"), Clients effectively 
>>> *have* to be "also a browser" (rendering the HTML for O365's login 
>>> prompts, accepting and sending user input, storing the OAuth token 
>>> as a HTTP cookie) to be able to do that. SMTP remains exempt from 
>>> the requirement for now, on the theory that printers and the like 
>>> may want to use it, and not be up to implementing the new stuff. 
>>> (Otherwise, MS' position can be summarized as "our clients work 
>>> great, Thunderbird succeded in implementing it, if your client 
>>> doesn't, go nag the vendor".)
>
>
>> And one more time we have allowed a sworn enemy to set the standard, 
>> shame on us.
>
> Getting a little off topic, but yes.. I believe Dovecot also sees the 
> threat for all it's users, if authentication processes are forced in a 
> direction that only favours the big three.
>
> Which is why I hope it gets more open with allowing 3rd parties to 
> contribute to Dovecot as plugins, that support other methods of 2FA..
>
> Sworn Enemy? Not if you have shares in your 401k/RRSP they aren't. 
> These are smart business moves to consolidate the market for them, 
> which in turn means stock prices go up.
>
Yes, many years ago, what little I knew about windows nt-3.51 led me to
believe it had a timer set for a random number in the 2 to 4 year category,
that deleted its main dll when the timer expired, I put the drive in a 
different
machine and dug around in it after it failed in the night, and the 
failure was
costing us around 5g's a day in airing the wrong commercials for our market
area. I did find a suspicious shell script, but didn't find the timer.

So time was of the  essence and since it was a CBS supplied machine
I had no access to its license  number so the support person refused to 
supply
the now missing library and  called me a pirate several times during our
conversation. To this day I may be forced to buy a windows license as part
of the sale, but the windows install will be wiped when it arrives on my
property. So I either build my own, or buy used w/o a hard drive and 
sticker.
Old Dells, with linux installed have a lot of miles left in them.

So other than that, we're on the same page.
> But it will be a terrible world, if interoperability between 
> independent email providers, and the big three area threatened, or if 
> they are forced to 'drink the koolaid'.
>
I can't drink the koolaid, way too much sugar and I'm a DM-II for nearly 40
years.
> But it is nice to see products like Thunderbird and other supporting 
> alternative means of 2FA, just like to see Dovecot support them as 
> well natively, or through plugins.
Since my own net provider's mail server is dovecot, and so far it Just 
Works,
I am happy but concerned because being the only game on this ball of rock
and water is BG's dream.
>
> Just my two bits..
>
Mine too. Take care and stay well, Michael Peddemors

Cheers, Gene Heskett.
-- 
"There are four boxes to be used in defense of liberty:
  soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
  - Louis D. Brandeis
Genes Web page <http://geneslinuxbox.net:6309/>



More information about the dovecot mailing list