On 29 Jun 2021, at 9:13, Glenn Parker wrote: > To restate my question: what are the downsides to a compromised email > account, and do they justify this level of access control?
I think in the University scenario (and probably many corporate scenarios), the risk that is being addressed is that due to Single Sign On (SSO), the identity used for accessing mail is the same identity for accessing other resources. Any use of the identity that does not work within the SSO system (including DUO) is considered a risk. For most Universities using MS Exchange, the vast majority of users use mechanisms that work with the SSO (Outlook and Outlook Web Access) and it is considered an acceptable “solution” to just turn off IMAP, etc. unless there is a significant reason to invest in supporting additional variations. There are, of course, several downsides to this decision but the downsides to a compromised email account included a compromised identity. Dave _______________________________________________ mailmate mailing list mailmate@lists.freron.com https://lists.freron.com/listinfo/mailmate