Re: two factor auth

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Indeed, but the application specific passwords are constant.  You need to assess your threat model and your risk appetite, but an application-specific password is on the one hand good, because an attacker who learns it "only" has access to your email (which is small comfort if the email permits password resets on other accounts, of course) but has that access on an ongoing basis.  Certainly, if your security policy mandates 2FA, then application-specific passwords won't satisfy that requirement.

ian

On 15/01/2021, 18:37, "Adam Tauno Williams" <awilliam@xxxxxxxxxxxxx> wrote:

    On Fri, 2021-01-15 at 17:44 +0000, Ian Batten via Info wrote:
    > No, because IMAP clients are continuously creating and destroying
    > IMAP sessions.  
    > The correct solution if you need two-factor authentication for a mail
    > server is to put the IMAP service behind a VPN server and permit
    > access to email only via the VPN, which in turn has two-factor
    > authentication.
 
 Stacks like Office365 "solve" the two factor authentication requirement
 in the case of services like IMAP & SMTP by having "application
 passwords".  So my IMAP password is distinct from my user password; it
 is both machine generated [longish and random] and also does not
 expire.
 

------------------------------------------
Cyrus: Info
Permalink: https://cyrus.topicbox.com/groups/info/T0cce10bfd349100c-M8b945e23c9c1181d97e993e5
Delivery options: https://cyrus.topicbox.com/groups/info/subscription




[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux