Tom Fowle wrote: > On Tue, Jun 12, 2018 at 08:49:09AM -0400, Jos? Mar?a Mateos wrote: > > On Mon, Jun 11, 2018 at 08:26:42PM -0700, Tom Fowle wrote: > > > As more isps and email providers require two factor authentication, I > > > hope mutt will support this security system! > > > > Doesn't mutt already "support" this? I use Fastmail with 2FA enabled. > > What I do then is to generate an app-specific password which is the one > > I use in the mutt configuration. There's not much to support, it's just > > a different password, unless there's something I'm not getting right. > > > > Cheers, > > > > -- > > José María (Chema) Mateos > > https://rinzewind.org/blog-es || https://rinzewind.org/blog-en > > Jose, > In what little I've read, I'd thought one needed to authenticate with two > passwords, but I'm probably wrong. > > Thanks, I'll try it if it becomes necessary. > Tom Fowle
tl;dr ----- 2FA/MFA = what you know + what you have + what you are. 2 passwords = 2 * what you know = 1FA. 2FA/MFA is mostly for websites, not pop/imap. however, pop/imap + tls + client certificate = 2FA/MFA (?). however, can't really see that happening. off-topic nonsense about credential stuffing, 2FA/MFA, password managers. long version ------------ 2FA/MFA isn't two passwords. It's something you know (like usernames and passwords) and something you have (like access to an email account or mobile/cell/handy phone), and/or something you are (like fingerprints or iris patterns or voice pstterns). Two passwords is just two of something you know so it's still a single factor. However, it should be pointed out that 2FA/MFA is mostly for websites. The IMAP/POP protocols have no support for it. It's unlikely that the POP/IMAP protocols will be changed to incorporate 2FA/MFA. And until that happens, I doubt there's much that mutt (or POP/IMAP servers) can do about it. Actually, I'm probably completely wrong about that. It's probably quite possible for a POP/IMAP server to require the use of TLS and to require that you have a client certificate that it recognises as well as your username and password. That would be 2FA/MFA and mutt might not even need to know about it. The underlying TLS library would take care of it. But the email service provider would have to have some way of issuing you with a client certificate and instructions on how to install it. If the client certificate is encrypted then mutt might need to know about it to support gathering the passphrase needed to decrypt the client certificate. I don't know. But I can't see too many email service providers requiring all of their users to install (and possibly encrypt) client certificates on all of their devices where they read email. But it could be an opt-in thing where if you ask for a client certificate, then you always need to use it. <SLIGHTLY_OFF_TOPIC_2FA_MANSPLAINING_NONSENSE> The biggest threat that is mitigated by 2FA/MFA is credential stuffing where someone hacks one website, steals the usernames (usually email addresses) and passwords, cracks the passwords, then re-uses them on all the other websites to see if they work. Last I heard, 40% of website logins attempts worldwide are automated using stolen credentials. The attempts that succeed are worth more in criminal markets than untested stolen credentials. Where there's a business model, there's a way. Credential stuffing is here to stay. The best defense against this is for all websites to store passwords in a way that can't be cracked or at least can't be cracked without spending vast sums of money on hardware (e.g. scrypt+hmac). But of course website users have no control over that. Just having unique strong passwords for every website is enough to mitigate against credential stuffing. Real 2FA/MFA is more for protecting against attacks that target you specifically. But even then, some 2FA/MFA systems send an email with a code to an email account that you might only have 2FA/MFA access to, but most send a text message and, at least in Australia, it's very easy to steal someone's mobile/cell/handy phone number (not the handset, just the number), so 2FA/MFA doesn't really protect against targeted attacks either. So it only really protects against credential stuffing. But it does make targeted attacks harder to perform so it is worthwhile for that too. Anyway, if you're just concerned about credential stuffing, use a password manager and use it (or at least unique strong passwords) for any POP/IMAP accounts you have as well as for any website accounts. I think the reason that some websites require 2FA/MFA is because they can't force you to use strong unique passwords for every website. But if you choose to use strong unique passwords for everything, then you don't really need 2FA/MFA (unless you also want to defend yourself against targeted attacks by people who aren't willing to put too much effort into the targeted attack). Having said all that, 2FA/MFA may well be easier than using a password manager. If so, that's a good enough reason to use it everywhere you can or at least everywhere important. However, if you can't use it, use a password manager and strong unique passwords. Or both. </SLIGHTLY_OFF_TOPIC_2FA_MANSPLAINING_NONSENSE>