<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/xhtml; charset=utf-8">
<style>
div.markdown { white-space: normal; }
body { font-family: sans-serif; }
h1 { font-size: 1.4em; }
h2 { font-size: 1.2em; }
h3 { font-size: 1.1em; }
a { color: #3983C4; }
blockquote a { color: #777777; }
blockquote blockquote a { color: #999999; }
blockquote blockquote blockquote a { color: #BBBBBB; }
math[display="inline"] > mrow { padding:5px; }
div.footnotes li p { margin: 0.2em 0; }
</style>
</head>
<body>
<div class="markdown">
<p dir="auto">I would be interested in a deeper discussion of the actual security threats that all this awkward 2FA/OAuth2/whatever are meant to address. I mean, I certainly understand the basic need for authentication (and encrypted transmission) to limit access to private information, but it seems like some folks are going way overboard for email here. All security is a tradeoff with convenience, like a fence around your property that limits free access to everyone, including yourself. So, it’s important to weigh the tradeoffs.</p>
<p dir="auto">To restate my question: what are the downsides to a compromised email account, and do they justify this level of access control?</p>
<p dir="auto">Users can perform a limited number of actions in the email universe: read mail, delete mail, reorganize mail folders, and send mail:</p>
<ul>
<li>
<p dir="auto">Read mail: private information could be exposed, obviously.</p>
</li>
<li>
<p dir="auto">Delete mail and reorganize mail folders: important (?) records or progress tracking could be lost or “misplaced”. (But, seriously, don’t use email for critical data storage).</p>
</li>
<li>
<p dir="auto">Send mail: IMHO, the biggest threat to an organization is the potential for social engineering via “authentic” appearing email.</p>
</li>
</ul>
<p dir="auto">I’m going to dismiss the deletion and reorganizing actions as de minimus (but tell me if I’m missing something).</p>
<p dir="auto">Maintaining privacy for reading email is a valid concern, but I don’t think it justifies having to authenticate on every IMAP transaction.</p>
<p dir="auto">OTOH, bogus emails are potentially far more serious, and I could see reasons for much tighter access when sending mail. And distinct protocols controls for reading and sending could certainly be implemented.</p>
<p dir="auto">I’m surprised that the level of flexibility for gating access to email services seems so limited today. The crux for these matters is the directory service that validates end user credentials. It seems like we could implement some flexible and fairly sophisticated authentication protocols (between the directory and the IMAP/SMTP server) that would not require any direct tweaks to email clients. This might allow, for example, a user to authenticate once via 2FA, and then maintain IMAP access (using standard IMAP authentication) for some number of days before having to authenticate again.</p>
<p dir="auto">It’s been a while since I worked on the software for such services, so maybe there’s a lot I need to catch up on, but I basically feel that “ultra-hardened” email is a poor idea.</p>
<p dir="auto">Glenn P. Parker<br />
<a href="mailto:glenn.parker@comcast.net">glenn.parker@comcast.net</a></p>
</div>
</body>
</html>