Comments (24)
The last time I commented on this issue, the control panel might not have even existed yet. :)
Adding 2FA for only the control panel is probably a good idea. I don't think there's any benefit to adding 2FA to any other service unless we add 2FA (+ app-specific passwords) to all other services.
from mailinabox.
Would be really great, to see it in the near future, as it means a great increase in safety for such sensible data.
from mailinabox.
But with totp neither Google nor Apple is implicated. There are free
alternatives for phone apps, eg otp authenticator I've mentioned, which is free and open source.
FYI Google authenticator (last open-source version) does not require Google to work too.
from mailinabox.
as long as 2FA is an opt-in solution, and if it's indeed a roll your own solution from end to end that does not rely on google or apple or anyone else, I'm all for it.
from mailinabox.
@JoshData
I have only one question as this topic probably stuck: why you are trying to protect everything with 2FA? I mean ok, it's something to aim at, but it should be the least to protect the admin WebUI first. Why not to start only with the admin WebUI and maybe Roundcube first and if there will be any solution for IMAP in the future to add it then?
I noticed even well organized and good rated mail provider are not offering 2FA for IMAP now, like e.g.:
https://kb.mailbox.org/display/MBOKBEN/How+to+use+two-factor+authentication+-+2FA
The 2 factor authentication is only available for our web interface. The other services like IMAP, POP3, SMTP and also WebDAV, CalDAV and CardDAV do not support 2FA.
from mailinabox.
No one has done any work on it. I would gladly accept a PR that adds TOTP MFA to the control panel.
from mailinabox.
Are those the 3 things whose access needs to be protected via 2FA?
Here's a 2FA plugin for Roundcube.
For IMAP, instead of 2FA, maybe do a separate revocable password instead (an app-specific password). This is what Pobox does, for instance. My scripts which use the Pobox SMTP server have config files which use a password that, if compromised, could be revoked, and which only allows access to SMTP anyway.
from mailinabox.
Right. The roundcube plugin will probably work. For IMAP, it depends on what Dovecot supports. It's configured to read passwords from a Sqlite db now. Not sure if that can be combined with 2FA.
from mailinabox.
So this approach would actually not integrate 2FA with IMAP/Dovecot directly. You would need to make it so you can generate/revoke app-specific passwords from a 2FA-protected place, and then ensure that IMAP knows about any app-specific passwords.
from mailinabox.
Ahhha I get it now.
from mailinabox.
see #279
from mailinabox.
Increasingly I'm also seeing what looks like OAuth being used for this purpose. For example, when I add a Google account to my phone, instead of needing an app-specific password, it has me go through an OAuth workflow which (using my 2FA key) grants my phone access. The advantage here is that the 2FA sign in flow is used rather than having to go create (and manage) an app-specific password. I've seen this pop up in a few integrated environments (Ubuntu, Android, etc.), but not in places like Thunderbird. I suppose this means the app-specific passwords will still be needed, but if they can be avoided at all, all the better.
On a different topic, I have 2FA for SSH set up on my servers and I have it set up so that it's only needed if you sign in using a password. If I'm using a key-based auth, that always felt close enough to 2FA to me.
from mailinabox.
Control Panel should also be secured with this 😉
from mailinabox.
About 2FA, we could also consider an XMPP based solution, i.e. having an authentication confirmation asked through XMPP each time a 2FA access is required? And then a simple "yes" answer to the question sent over XMPP would allow access to the service.
I don't have a solution in mind of that, but I'm pretty sure one exists, that can be linked to most of the apps.
from mailinabox.
This seems like a good thing to implement; is 2FA coming soon, or is it far far away on the roadmap?
Would it rather be backed up by xmpp like @guyzmo mentioned (which would probably need to set up XMPP server alongside, which doesn't seem like a bad idea?) or TOTP using Google Authenticator or OTP Authenticator (Android), which I guess would work more reliably?
from mailinabox.
2FA on MIAB interests me a lot. XMPP on MIAB interests me independently as well.
I will say though that ANYTHING that requires google or apple to function should be discounted . e.g. push messages using apple or googles native capabilities.
from mailinabox.
Understood. I just specifically mention it as with all things apple and google at some point there will be some "nice" feature that is unavailable or much harder to roll your own. Perhaps a big vague a point for github.
from mailinabox.
2FA is an indispensable feature!
Google Authenticator has an Apache licence and there are many apps for it (including browser extensions and the like). I support using the plugin for Roundcube.
Can I just go ahead install it myself or would that potentially break things in the long run?
from mailinabox.
Any update on this?
MFA for email has become increasingly relevant this year with covid etc., even though many email providers that aren't MS and Google don't seem to offer it. Adding any flavor of OTP to the console would be a very welcome first step, but this is increasingly desirable for all users. For businesses, not having MFA is a risk internal and to partners.
OAuth for all would be great, but still tends to be a premium business feature.
from mailinabox.
FWIW, I recommend these two packages for doing TOTP from PHP
This one for handling code generation and verification: https://github.com/PHPGangsta/GoogleAuthenticator
This one for QR generation so you don't have to use Google Charts: https://github.com/endroid/qr-code
from mailinabox.
The control panel is in Python.
from mailinabox.
2FA is a feature that would gladly be accepted. In fact, its built into nextcloud, and nextcloud can also act as an oath2 provider, so can't you just use nextcloud to login to everything?
I'm pretty sure you can even rebrand nextcloud through config if I remember correctly.
from mailinabox.
That'd be pretty nice.
from mailinabox.
Folks, I'm going to lock this issue. Most of the comments are speculation, which isn't productive and clutters the inboxes of everyone subscribed to notifications on this project.
As I recently said, I would accept a PR that adds 2FA/MFA to the control panel. That's what needs to be done to move this ball forward. Any effort on that would be appreciated. A more comprehensive implementation of 2FA/MFA doesn't make sense until after the control panel is secured.
from mailinabox.
Related Issues (20)
- Weird output (from Roundcube?) during install HOT 2
- Update to SpamAssassin 4 HOT 2
- hostname example.host.tld does not resolve to address xxx.xxx.xxx.xxx HOT 4
- Fail2ban - miab-munin.conf filter not cathing HTTP/2.0
- Add an edit button on DNS entries
- LetsEncrypt certificate renewal fails
- Systemd service not working
- how make a file copy of incoming email?
- Backup Error happening with mailinabox command I think HOT 1
- Break System Status Checks up into smaller checks HOT 2
- Root Domain configs in nginx
- owncloud-unlockadmin.sh has incorrect path for mail.py HOT 4
- Backup: File size can't be validated, because of missing capabilities of the backend HOT 4
- freebsd support HOT 2
- active-sync is with imap, or with mapi
- Multiple Domain why change NS ?? HOT 3
- Feature request: Add the ability for parked domain email user to edit it's own DNS records in the control panel HOT 1
- Mailinabox V68 when connecting with /mail or /cloud receiving 502 Bad Gateway and Android clients force to verify email address again.
- SSH System Status Check Error HOT 1
- remove unecessary subdomains
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from mailinabox.