[imp] 2-Step Authentication
Arnold Krille
arnold at arnoldarts.de
Thu Apr 19 17:35:59 UTC 2012
On Wednesday 18 April 2012 11:59:32 Simon Brereton wrote:
> Are you planning to implement 2-step authentication in the next Horde
> release?
>
> http://www.codinghorror.com/blog/2012/04/make-your-email-hacker-proof.html
>
> It would be relatively trivial so long as a mobile app can be written
> (and that could be done in html5, so it shouldn't need to be device
> dependent).
>
> If not, let me know and I'll add a feature request.
First: I know what two-factor authentication is and how it works and why it
actually improves security.
Here is why I think two-factor authentication like googles or that of "Duo"
aren't actually improving security: The main security comes from the fact that
the second factor is a) different the the first and b) hard to attack.
It looses all its appeal when you use the same smart-phone for 2-step
authentication and the actual login (as you would with
imap/activesync/webinterface). And you are doing this on a phone that is
neither fully under your control (unless you have a rooted android) nor is it
hard to attack. Any Android that needs 'full access to your phone to set
profiles depending on time, location and environment' for example have all it
takes to catch both your login and your 2nd factor...
If you really want to use some kind of two factor authentication with your
phone, do it with some old 'phone and sms'-only phone. And don't rely on any
smartphones OS unless you hacked and hardened it your own.
Have fun,
Arnold
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.horde.org/archives/imp/attachments/20120419/1287a851/attachment.bin>
More information about the imp
mailing list