On Tue, Jun 12, 2018 at 09:45:50AM -0500, Hokan wrote:
> I use LastPass CLI to present my password.  I have LastPass protected with 
> 2FA.
> My .muttrc contains a line like this:
> set imap_pass="`/usr/local/bin/lpass show --password myname@mydomain || sleep 
> 1`"
> and
> set smtp_pass=$imap_pass
> and that works for me.

It should be pointed out that this is not really 2FA at all.  If I
have your actual user credentials (username & password), say because I
got root access to the machine where you run Mutt and snarfed them out
of memory, this scheme does nothing to prevent me from using them
directly, completely bypassing any 2FA on LastPass.  With respect to
the resource to which your credentials give access, there's no second
factor.  LastPass is just acting as a proxy for your brain.  The only
actual effect it has is to complicate (in a technical sense) the
retrieval of your single authentication factor from your "memory"
(i.e. LastPass' password store)--making it arguably less secure, not
more (because more potential points of failure mean a higher chance
something will break, preventing you from being able to access your
mail).  All the security in the world does you no good if the
resources you're protecting are unavailable to legitimate users.

The point of 2FA is to prevent the scenario where an attacker gets your
credentials (user & password, or "the thing you know"), allowing them
to gain access.  Examples of how this would be 2FA is if your IMAP
server *additionally* required a cryptographic certificate, hardware
token, sent you a text to your phone, etc.--something that only *you*
should have physical access to.  Inability to access that physical
thing (your second authentication factor) still prevents access, even
though your credentials are compromised (known by someone other than
yourself).  Like your scheme, this also increases complexity, but
unlike your scheme, it additionally provides a real increase in
security--making the extra complexity involved (arguably) justified.

Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail due to spam prevention.  Sorry for the inconvenience.

Attachment: pgpKYJ0UMvI_j.pgp
Description: PGP signature

Reply via email to