Two-factor authentication / MFA / OATH / TOTP about mailinabox HOT 24 CLOSED

The last time I commented on this issue, the control panel might not have even existed yet. :)

Adding 2FA for only the control panel is probably a good idea. I don't think there's any benefit to adding 2FA to any other service unless we add 2FA (+ app-specific passwords) to all other services.

from mailinabox.

Would be really great, to see it in the near future, as it means a great increase in safety for such sensible data.

from mailinabox.

But with totp neither Google nor Apple is implicated. There are free
alternatives for phone apps, eg otp authenticator I've mentioned, which is free and open source.

FYI Google authenticator (last open-source version) does not require Google to work too.

from mailinabox.

as long as 2FA is an opt-in solution, and if it's indeed a roll your own solution from end to end that does not rely on google or apple or anyone else, I'm all for it.

from mailinabox.

@JoshData
I have only one question as this topic probably stuck: why you are trying to protect everything with 2FA? I mean ok, it's something to aim at, but it should be the least to protect the admin WebUI first. Why not to start only with the admin WebUI and maybe Roundcube first and if there will be any solution for IMAP in the future to add it then?

I noticed even well organized and good rated mail provider are not offering 2FA for IMAP now, like e.g.:
https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA

The 2 factor authentication is only available for our web interface. The other services like IMAP, POP3, SMTP and also WebDAV, CalDAV and CardDAV do not support 2FA.

from mailinabox.

No one has done any work on it. I would gladly accept a PR that adds TOTP MFA to the control panel.

from mailinabox.

Are those the 3 things whose access needs to be protected via 2FA?

Here's a 2FA plugin for Roundcube.

For IMAP, instead of 2FA, maybe do a separate revocable password instead (an app-specific password). This is what Pobox does, for instance. My scripts which use the Pobox SMTP server have config files which use a password that, if compromised, could be revoked, and which only allows access to SMTP anyway.

from mailinabox.

Right. The roundcube plugin will probably work. For IMAP, it depends on what Dovecot supports. It's configured to read passwords from a Sqlite db now. Not sure if that can be combined with 2FA.

from mailinabox.

So this approach would actually not integrate 2FA with IMAP/Dovecot directly. You would need to make it so you can generate/revoke app-specific passwords from a 2FA-protected place, and then ensure that IMAP knows about any app-specific passwords.

from mailinabox.

Ahhha I get it now.

from mailinabox.

see #279

from mailinabox.

Increasingly I'm also seeing what looks like OAuth being used for this purpose. For example, when I add a Google account to my phone, instead of needing an app-specific password, it has me go through an OAuth workflow which (using my 2FA key) grants my phone access. The advantage here is that the 2FA sign in flow is used rather than having to go create (and manage) an app-specific password. I've seen this pop up in a few integrated environments (Ubuntu, Android, etc.), but not in places like Thunderbird. I suppose this means the app-specific passwords will still be needed, but if they can be avoided at all, all the better.

On a different topic, I have 2FA for SSH set up on my servers and I have it set up so that it's only needed if you sign in using a password. If I'm using a key-based auth, that always felt close enough to 2FA to me.

from mailinabox.

Control Panel should also be secured with this 😉

from mailinabox.

About 2FA, we could also consider an XMPP based solution, i.e. having an authentication confirmation asked through XMPP each time a 2FA access is required? And then a simple "yes" answer to the question sent over XMPP would allow access to the service.

I don't have a solution in mind of that, but I'm pretty sure one exists, that can be linked to most of the apps.

from mailinabox.

This seems like a good thing to implement; is 2FA coming soon, or is it far far away on the roadmap?

Would it rather be backed up by xmpp like @guyzmo mentioned (which would probably need to set up XMPP server alongside, which doesn't seem like a bad idea?) or TOTP using Google Authenticator or OTP Authenticator (Android), which I guess would work more reliably?

from mailinabox.

2FA on MIAB interests me a lot. XMPP on MIAB interests me independently as well.

I will say though that ANYTHING that requires google or apple to function should be discounted . e.g. push messages using apple or googles native capabilities.

from mailinabox.

Understood. I just specifically mention it as with all things apple and google at some point there will be some "nice" feature that is unavailable or much harder to roll your own. Perhaps a big vague a point for github.

from mailinabox.

2FA is an indispensable feature!

Google Authenticator has an Apache licence and there are many apps for it (including browser extensions and the like). I support using the plugin for Roundcube.

Can I just go ahead install it myself or would that potentially break things in the long run?

from mailinabox.

Any update on this?

MFA for email has become increasingly relevant this year with covid etc., even though many email providers that aren't MS and Google don't seem to offer it. Adding any flavor of OTP to the console would be a very welcome first step, but this is increasingly desirable for all users. For businesses, not having MFA is a risk internal and to partners.

OAuth for all would be great, but still tends to be a premium business feature.

from mailinabox.

FWIW, I recommend these two packages for doing TOTP from PHP

This one for handling code generation and verification: https://github.com/PHPGangsta/GoogleAuthenticator

This one for QR generation so you don't have to use Google Charts: https://github.com/endroid/qr-code

from mailinabox.

The control panel is in Python.

from mailinabox.

2FA is a feature that would gladly be accepted. In fact, its built into nextcloud, and nextcloud can also act as an oath2 provider, so can't you just use nextcloud to login to everything?

I'm pretty sure you can even rebrand nextcloud through config if I remember correctly.

from mailinabox.

That'd be pretty nice.

from mailinabox.

Folks, I'm going to lock this issue. Most of the comments are speculation, which isn't productive and clutters the inboxes of everyone subscribed to notifications on this project.

As I recently said, I would accept a PR that adds 2FA/MFA to the control panel. That's what needs to be done to move this ball forward. Any effort on that would be appreciated. A more comprehensive implementation of 2FA/MFA doesn't make sense until after the control panel is secured.

from mailinabox.