On 2023-07-31 14:32, Ángel via mailop wrote:
On 2023-07-25 at 17:14 +0200, Sebastian Nielsen via mailop wrote:
Sadly not all MUAs implement ClientID either.
Easiest way to implement 2FA on email, is to have a webpage, where
you login with your 2FA token. When you have done that, the IP to
visit that webpage is written to the account's authorized IP list.
For user friendliness, you could save, lets say the 10 latest IPs
used to access that webpage.
That's the easiest to the developer implementing it, not for the user,
which may need to authorise his new IP every day.
If you want that to be simple for the user, you should probably
implement XOAUTH2 (which hopefully will already be supported by the
client). But that's much more work for the server developer.
Or, you could 'fingerprint' his webmail connection, and then pass that
on as a CLIENTID signature. While nothing is 100% secure if a person's
PC or device gets hacked, browser fingerprinting 'might' be able to be
discovered/forged by a malicious website operator, in general it should
be pretty reliable.
It doesn't matter what IP address they have (coffee shop, dynamic IPs
etc).
But server upgrades, browser upgrades etc CAN potentially break the
fingerprint, so it is good if they have more than one approved browser
fingerprint to 'unlock' the mail box, when trying a new browser.
And of course, you can even use 'cookies' as a CLIENTID, but they of
course can be deleted or 'stolen' by malicous plugins or viruses.
Still, it is > 99% effective in stopping unauthorized attacks or
compromises or password reuse theft.
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
