Tried to stay off this thread..
However, a lot of talk on the subject, and I guess time to mention on
this thread..
2FA needs to be simpler.. transparent to the customer.
It's one of the reasons that we first suggested adopting changes in the
legacy email protocols, so it can better support this.
And at M3AAWG, several list members asked about the location of the RFC
Drafts covering this..
https://datatracker.ietf.org/doc/draft-storey-smtp-client-id/
https://datatracker.ietf.org/doc/draft-yu-imap-client-id/
Simply put.. (Thanks to a M3AAWG member who described it like this)
Think of it as a 'cookie' for SMTP/IMAP.
I "prefer" if discussions on the spec, it's current adoption, remain off
the mailop mailing list, but I think you can see it is at the heart of
the discussions in this thread, eg on what it is intended to do.
(Reach out off list if you want more information, or discuss on the IETF
channels for this)
We encourage all email clients and email servers to support these
extensions...
But at the end of the day, simple transparent 2FA is the holy grail, and
of course stops 99.9% of password spray attacks, brute force attacks,
and most email leakage attacks.
You just have to make it easy to add/revoke/register devices.
Too bad about the 'what happens at M3AAWG, stays at M3AAWG' in this
case, because some really great conversations were had on this topic,
that would be great to share..
On 2023-02-22 11:03, Sebastian Nielsen via mailop wrote:
Problem with OAuth2 is that many commercial mail clients only support it
for a select number of big providers thus you have 2 choices, either
implement geo-restriction, or have a 2FA auth portal where you authorize
IPs to access your account.
-------- Originalmeddelande --------
Från: Taavi Eomäe via mailop <mailop@mailop.org>
Datum: 2023-02-22 19:42 (GMT+01:00)
Till: mailop@mailop.org
Ämne: Re: [mailop] Compromised email account trends
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
