Is multi factor authentication practical/feasible?

[justina colmena ~biz]

I don't see why not.

Dovecot and Postfix are entirely configurable to connect to and use any 
desired authentication mechanism through certain basic interfaces.

The main problem I have experienced with MFA is a continual battle with 
extortion, "long cons," and thievery in law -- that the thieves are able to 
obtain one of the necessary factors for authentication -- a dongle or cell 
phone app or access to a cell phone number, or surveillance intelligence on 
calls or texts, whatnot -- whether by force or deception -- and then deny 
the targeted individual access to his or her own account.

Later on, after the victim has given up, the thieves are able to obtain the 
other factors for authentication, and then proceed to social-engineer a 
false account recovery using the victim's stolen I.D. -- and then they 
often as not falsely report the victim to gullible or complicit police 
forces as the thief.

If the victim cannot be successfully accused of theft in court, the 
"thieves in law" at work with inside help in government and law enforcement 
communities are able to cast identity theft as a mental illness akin to 
dissociative identity disorder -- to which the government offers nothing 
but a mental health "recovery" plan which does not include any actual 
recovery of the stolen assets in a person's name.

 * https://www.identitytheft.gov/
 * https://www.robodeidentidad.gov/

Casting identity theft as a mental health issue further enables thieves to 
take control of a victim's finances by possibly being appointed as 
guardians or payees in court. For the same reasons of legalized theft, 
extortion, and wrongful appropriation through state, local, military and 
federal court systems, individuals with similar names to known criminals 
are not allowed to hold significant assets in their names or possess 
firearms or obtain employment in sensitive positions in the United States.

 * https://en.wikipedia.org/wiki/Thief_in_law

On Sunday, June 26, 2022 2:52:05 PM AKDT, Steve Dondley wrote:
> I have a small client whose insurance company insists they have 
> MFA for their email to be covered under some kind of data 
> protection policy. Currently I have the client set up on a 
> Debian box for the email server coupled with roundcube for 
> webmail. Most the users just use roundcube but some also use 
> their mobile devices to check email. Maybe one person uses 
> outlook. There’s about 5 to 10 users total. 
>
> I know roundcube offers a MFA plugin. But I don’t have the 
> foggiest idea how of an iPhone, Android device, or Outlook could 
> all be set up to work with MFA with a standard dovecot/postfix 
> setup. Are there any practical solutions for easily implementing 
> MFA that could work across multiple devices?
>