Tom Fowle wrote:

> On Tue, Jun 12, 2018 at 08:49:09AM -0400, Jos? Mar?a Mateos wrote:
> > On Mon, Jun 11, 2018 at 08:26:42PM -0700, Tom Fowle wrote:
> > > As more isps and email providers require two factor authentication, I 
> > > hope mutt will support this  security system!
> > 
> > Doesn't mutt already "support" this? I use Fastmail with 2FA enabled. 
> > What I do then is to generate an app-specific password which is the one 
> > I use in the mutt configuration. There's not much to support, it's just 
> > a different password, unless there's something I'm not getting right.
> > 
> > Cheers,
> > 
> > -- 
> > José María (Chema) Mateos
> > ||
> Jose,
> In what little I've read, I'd thought one needed to authenticate with two
> passwords, but I'm probably wrong.
> Thanks, I'll try it if it becomes necessary.
> Tom Fowle

2FA/MFA = what you know + what you have + what you are.
2 passwords = 2 * what you know = 1FA.
2FA/MFA is mostly for websites, not pop/imap.
however, pop/imap + tls + client certificate = 2FA/MFA (?).
however, can't really see that happening.
off-topic nonsense about credential stuffing, 2FA/MFA, password managers.

long version
2FA/MFA isn't two passwords. It's something you know (like
usernames and passwords) and something you have (like access to
an email account or mobile/cell/handy phone), and/or something
you are (like fingerprints or iris patterns or voice pstterns).

Two passwords is just two of something you know so it's still a
single factor.

However, it should be pointed out that 2FA/MFA is mostly for
websites. The IMAP/POP protocols have no support for it. It's
unlikely that the POP/IMAP protocols will be changed to
incorporate 2FA/MFA. And until that happens, I doubt there's
much that mutt (or POP/IMAP servers) can do about it.

Actually, I'm probably completely wrong about that. It's
probably quite possible for a POP/IMAP server to require the use
of TLS and to require that you have a client certificate that it
recognises as well as your username and password. That would be
2FA/MFA and mutt might not even need to know about it. The
underlying TLS library would take care of it. But the email
service provider would have to have some way of issuing you with
a client certificate and instructions on how to install it.

If the client certificate is encrypted then mutt might need
to know about it to support gathering the passphrase needed
to decrypt the client certificate. I don't know.

But I can't see too many email service providers requiring all
of their users to install (and possibly encrypt) client
certificates on all of their devices where they read email.
But it could be an opt-in thing where if you ask for a client
certificate, then you always need to use it.


The biggest threat that is mitigated by 2FA/MFA is credential
stuffing where someone hacks one website, steals the usernames
(usually email addresses) and passwords, cracks the passwords,
then re-uses them on all the other websites to see if they work.

Last I heard, 40% of website logins attempts worldwide are
automated using stolen credentials. The attempts that succeed
are worth more in criminal markets than untested stolen
credentials. Where there's a business model, there's a way.
Credential stuffing is here to stay.

The best defense against this is for all websites to store
passwords in a way that can't be cracked or at least can't be
cracked without spending vast sums of money on hardware (e.g.
scrypt+hmac). But of course website users have no control over

Just having unique strong passwords for every website is enough
to mitigate against credential stuffing. Real 2FA/MFA is more
for protecting against attacks that target you specifically. But
even then, some 2FA/MFA systems send an email with a code to an
email account that you might only have 2FA/MFA access to, but
most send a text message and, at least in Australia, it's very
easy to steal someone's mobile/cell/handy phone number (not the
handset, just the number), so 2FA/MFA doesn't really protect
against targeted attacks either. So it only really protects
against credential stuffing. But it does make targeted attacks
harder to perform so it is worthwhile for that too.

Anyway, if you're just concerned about credential stuffing, use
a password manager and use it (or at least unique strong
passwords) for any POP/IMAP accounts you have as well as for any
website accounts.

I think the reason that some websites require 2FA/MFA is because
they can't force you to use strong unique passwords for every
website. But if you choose to use strong unique passwords for
everything, then you don't really need 2FA/MFA (unless you also
want to defend yourself against targeted attacks by people who
aren't willing to put too much effort into the targeted attack).

Having said all that, 2FA/MFA may well be easier than using a
password manager. If so, that's a good enough reason to use it
everywhere you can or at least everywhere important. However, if
you can't use it, use a password manager and strong unique
passwords. Or both.


Reply via email to