[MlMt] Follow Up to Email Concerns

Steven M. Bellovin smb at cs.columbia.edu
Thu Jun 24 21:41:50 EDT 2021

Duo has (at least) two modes of operation. One is a standard
time-based one-time password: the site supplies you with a key
(often via a QR code), and your phone calculus F(key, time).
The other is a bit more complex: when you try to log in, the
site sends a push message to your phone; you unlock your
phone and tap "OK". That latter *could* be transparent to
IMAP, but you'd have to go through that dance every time
you Mac logged in, as opposed to keeping the IMAP connection

Apple has the notion of "device passwords": you log in with
2FA to Apple, and it sends you a random password you paste
into your mailer—or mailers.

On 24 Jun 2021, at 20:35, Harvey Leff wrote:

> I had written earlier that my email provider (the university from 
> which I retired) stopped using IMAP, which would rule out use of 
> MailMate. They also stopped having a "Forward all mail" option so I 
> cannot move my mail to an IMAP-enabled site. I've complained, and the 
> response is below. I switched (with great difficulty) to gmail, which 
> of course uses IMAP and allows me to continue my love affair with 
> MailMate.
> It seems that a prime alleged reason for their change is that IMAP 
> does not support 2-Factor authentication. Do any of you experts have 
> knowledge whether that claim is true and really limits security?
> They are now implementing 2FA using a seemingly complicated system 
> called Duo. Anybody know about that type of 2FA?
> The university's reply is below if you are interested and willing to 
> read the claims. What I **DO** know is that the university replaced 
> its standard IMAP/SMTP server with Microsoft's proprietary ActiveSync.
> Beware, this might be an indicator of the future… Yikes!
> Harvey Leff
> Portland, Oregon USA
> ~ ~ ~
>> Higher education institutions are a top target for cyber criminals 
>> who are attracted to our thousands of identities (faculty staff, 
>> student and emeritus), as well as research data.  Stolen or 
>> compromised account credentials are a contributing factor to phishing 
>> scams, as well as malicious data, system breaches, and identity 
>> theft.  The campus continues to improve security to address cyber 
>> risks, including securing our Bronco accounts and their credentials.
>> We have taken steps to improve the security of our accounts, which 
>> includes disabling insecure settings, and adding 2-Step 
>> Authentication.  These actions are required due to updates planned by 
>> Microsoft in late 2021.
>>   *   As you are aware, on February 1, 2021,  CPP disabled Office 365 
>> email settings for IMAP, SMTP, and POP per security recommendations.  
>> POP and IMAP are considered less secure due to their lack of 
>> authentication security, including lack of support for 2-Step 
>> Authentication.  Applications using more secure authentication 
>> methods are now required to improve email security and reduce the 
>> risk of compromised accounts.  Suggested email applications include 
>> Office 365 web 
>> application<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Foutlook.office365.com%2Fcpp.edu&data=04%7C01%7Ccarolhg%40cpp.edu%7Ccbf969a3939444a7b1f408d937650641%7C164ba61e39ec4f5d89ffaa1f00a521b4%7C0%7C0%7C637601729307343341%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=hCIY61Zl6Hooe0a4K4b8cCaeWG7IDTRtnK7yD3w3Fc0%3D&reserved=0> 
>> , Outlook desktop 
>> application<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Foffice%2Fadd-an-email-account-to-outlook-6e27792a-9267-4aa4-8bb6-c84ef146101b&data=04%7C01%7Ccarolhg%40cpp.edu%7Ccbf969a3939444a7b1f408d937650641%7C164ba61e39ec4f5d89ffaa1f00a521b4%7C0%7C0%7C637601729307353339%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=sTa47jp5e837m9rLalOe3B0TJsM6ArUeBiouePrjGH8%3D&reserved=0> 
>> , the Outlook mobile 
>> application<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fmicrosoft-365%2Foutlook-mobile-for-android-and-ios&data=04%7C01%7Ccarolhg%40cpp.edu%7Ccbf969a3939444a7b1f408d937650641%7C164ba61e39ec4f5d89ffaa1f00a521b4%7C0%7C0%7C637601729307353339%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=6lbi2wm5hZupWA0QFtkEyPbbKScZGH09CptCNO6JPWE%3D&reserved=0> 
>> (for IOS or Android), or Mac Mail.
>>   *   The campus has implemented 2-Step Authentication as an 
>> additional layer of security for our Bronco Accounts . Emeritus are 
>> required to enroll in 2-Step Authentication by July 6, 2021 to avoid 
>> any access interruption.  After July 6, 2-Step Authentication will be 
>> required for emeritus to access campus services, including email. 
>> 2-Step enrollment information has been provided to emeritus who have 
>> not yet enrolled and is also on our website:  
>> https://www.cpp.edu/it/2step/.  Three (3) options are available for 
>> 2-Step Authentication:  a smartphone app, a call back number or 
>> request a hardware 
>> token<https://cpp.service-now.com/ehelp?id=sc_cat_item&sys_id=2633842edb1e6c10f0eed2e3ca961956> 
>> .
> _______________________________________________
> mailmate mailing list
> mailmate at lists.freron.com
> https://lists.freron.com/listinfo/mailmate

         —Steve Bellovin, https://www.cs.columbia.edu/~smb
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freron.com/pipermail/mailmate/attachments/20210624/09ded092/attachment-0001.htm>

More information about the mailmate mailing list