Hi,
X509/client-certificates actually work very well, I've been using it for quite some time. I guess the client-certificate provisioning is a bit hard for users.
I myself was curious about a mechanism via XOAUTH2 authentication that some big players support; (I presume) it means you authenticate once via a web page (option for 2nd factor) and use a bearer token to authenticate from that moment on.
I don't think Cyrus SASL supports XOAUTH2 yet; I noticed Dovecot does and was thinking about the option to use Dovecot as a proxy with XOAUTH2 authentication and use authorization (from the admin user) to Cyrus (or try the mechanism in Dovecot first for that matter).
I guess there are more clients that support x509 compared to XOAUTH2 though, but you can have users enable less safe mechanisms explicitly perhaps, and support multiple mechanisms.
Paul
