On 27.06.22 00:52, Steve Dondley wrote:
I have a small client whose insurance company insists they have MFA for their email to be covered under some kind of data protection policy. Currently I have the client set up on a Debian box for the email server coupled with roundcube for webmail. Most the users just use roundcube but some also use their mobile devices to check email. Maybe one person uses outlook. There’s about 5 to 10 users total.I know roundcube offers a MFA plugin. But I don’t have the foggiest idea how of an iPhone, Android device, or Outlook could all be set up to work with MFA with a standard dovecot/postfix setup. Are there any practical solutions for easily implementing MFA that could work across multiple devices?
*Totally* theorizing here, but as far as I'm aware, the SMTP (AUTH), POP, and IMAP protocol definitions do not provide elbow room to make *two* rounds of authentication. (Ever pondered why the admin can require O365 users to "use 2FA", but users then are still allowed to create "application passwords", note plural and lack of standard password features like a limited lifetime for those?)
If I'm correct with that, and if you have to provide these protocols, there are three options:
1. Users need to roll their memorized password and an OTP from a token into *one* combined password they enter (seen that in some early 2FA implementations when CLI/GUI login procedures did not yet have support for multiple rounds built in)
2. User needs to enter his "password" (PIN, actually) into the *token* to make it spit out a (valid) OTP, and *that* is then the "password" he sends to the servers (some people will insist that this "is not 2FA")
3. Servers/backends have a way to communicate with the token directly (ideally so that the user gets the password-to-enter via the token, say, per SMS, but for *that* to work out, you need that *every* piece of software used is willing and able to forward the info "user X wants to make an attempt at auth" *before* it also has the password at hand)
Good luck, -- Jochen Bern Systemingenieur Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
