On Wed, 22 Apr 2020, Johannes Rohr wrote:
It is a pity that the IMAP protocol does not support 2 factor
authentication, which seems to stop 90% of intrusion attempts in their
tracks.
You could use VPN, which can enforce 2FA.
You can hack 2FA into IMAP or any protocol where you can control
the backend authenticator. It's easier with time-based OTP
(TOTP) token generators. Authenticate using the usual username and the
concatenation of (user-password)(otp-token), then invalidate the opt-token
to foil replay-attacks.
The backend will have to split the credentials into individual factors
that can be checked separately.
Is there a reasonable way of detecting and preventing logins from
unusual IP ranges? Or are there other strategies you would recommend?
Start by defining "unusual". Once you have a characterization of unusual,
implement the detection. For example,
- more than <n> failures?
- attempt to authenticate to non-existent generic accounts e.g. "root"?
- weird time of day?
- authentication from implausible geographic regions? (e.g. Chad)?
- logins from mutiple geolocation in short time frames?
As the saying goes regarding the value of prevention vs cure, enforce
good security habits for your users: password strength, endpoint malware
protection, skepticism, etc.
Joseph Tam <jtam.h...@gmail.com>
