Concerns about "Two Factor Authentication" that need to be addressed.

[webshaun]

I'm thankful that ME has decided to enhance security with two factor authentication but I have some major concerns.

The implementation is so limited that it only protects the webmail interface. If a password is obtained by an unauthorized user, they only have to use another protocol to gain full access to the account. SMTP/ActiveSync/POP3/IMAP - all of your other interfaces must be two factor aware.

This is going to mean implementing "application passwords" and settings. If a user enables 2 factor, their primary account password shouldn't be available to use on protocols that do not support multi authentication. The system should create a long, complex "application password" that would be the only password accepted by these other protocols. That way there is at least a far less chance that a brute force attack would ever be successful.

There needs to be an option to challenge (Prompt on new IP address, or 30 days). Since I can't deauthorize IP's through webmail, I want an option to expire after 30 days.

Thank you for your attention to these serious concerns.

[MailEnable-Ian]

Hi Shaun,

The principal motivator for 2FA was to protect SYSADMIN accounts now that platform management features are available within Web Administration. Unfortunately SMTP, IMAP, EAS, etc do not have 2FA SASL mechanisms built into their protocols (and clients do not support custom authentication providers with any consensus). A protocol specific password mechanism is the only practical way of providing enhanced security for these protocols (as you have said). We are working on an implementation for providing more security for those protocols.

[michaelsowa]

Has there been any further advancements on this? I also find two factor authentication pointless as its only for the web interface. I would like Application specific passwords like I have for my google account and gmail.