[imp] 2-Step Authentication

Andrew Morgan morgan at orst.edu
Thu Apr 19 07:10:39 UTC 2012 

On Wed, 18 Apr 2012, Michael M Slusarz wrote:

> Quoting Simon Brereton <simon.brereton at buongiorno.com>:
>
>> Hi
>> 
>> Are you planning to implement 2-step authentication in the next Horde 
>> release?
>> 
>> http://www.codinghorror.com/blog/2012/04/make-your-email-hacker-proof.html
>> 
>> It would be relatively trivial so long as a mobile app can be written
>> (and that could be done in html5, so it shouldn't need to be device
>> dependent).
>
> Generally, I find Atwood's blog posts interesting and informative.  But this 
> article is just garbage.
>
> 2-step authentication provides no more security than enforcing minimum 
> password lengths, non-dictionary passwords, and/or expiration dates.  Not to 
> mention that you are now introducing MORE avenues where the authentication 
> chain can break down: the more complex a system, the more attack points there 
> are.
>
> And labeling his article "Make your email hacker proof?"  He's just playing 
> on FUD.
>
> This two-step authentication is just Google marketing fluff.  Can't believe 
> he is eating it up like this.

I'm not sure where you are getting your information from - unless you 
think Google's 2-step verification via a cell phone is not actually 
2-factor authentication?  Since a hacker won't have access to your phone, 
they cannot retrieve the one-time PIN generated by Google and sent to your 
phone.

As to how Horde might implement 2-factor authentication, I don't know.  I 
think most people are using IMP (IMAP) authentication for Horde, so that 
would require your IMAP server use 2-factor auth and somehow pass both a 
password and a one-time PIN along.

However, Horde could implement 2-factor auth on top of IMAP.  For example, 
require the user to enter their username and password, then generate a 
one-time PIN, send it to their cell phone (kinda hard to do in a generic 
fashion), and verify the PIN before allowing entry to Horde applications.

Sending an SMS message to an arbitrary cell phone number is hard though. 
Most providers have email-to-SMS gateways, but that requires getting more 
information from the user than just their cell phone number.  You need to 
know their carrier in order to lookup the email gateway from a list, or 
the user must provide the full email-to-SMS gateway email address for 
their phone.  Sending "real" SMS messages requires getting a special cell 
card from a carrier and signing a contract saying how many messages you'll 
be sending.

 	Andy

More information about the imp mailing list