2FA (and Feature Request for app passwords)

Support General Configuration
1

Dear Support,

it is very nice that you have set up 2FA (TOTP) support for webmail. However, in this way the functionality is unfortunately insufficient, as no additional security is achieved.

Example:

  • My password is “simpler” and 2FA is enabled. In this situation, access to the webmailer is sufficiently protected, as a potential attacker would need to both guess or spy on the password and use the associated second factor (TOTP).
    However, since only the webmailer is secured, this unfortunately does not help very much. Access via SMTP, CALDAV/CARDAV, ActiveSync, IMAP is unrestricted with the simple password without a second factor and thus full access to the respective mailbox is possible even without 2FA. SMTP and Activesync will also remain regularly accessible from the outside, as this is a desired functionality (IMAP could be protected via VPN).

Many other providers therefore go a different way. Each account has a password as well as optionally a second factor. Additionally, any number of other app passwords can be generated. The goal here is that these passwords are longer and more complex and only have to be stored once when configuring third-party software (email client, Activesync device, …).
(for example Google mail, Kerio Connect, MDaemon, …)

Will this also be implemented for Axigen in the future, since 2FA (TOTP) currently does not provide any security gain and is only “wastepaper”.

I hope the text is understandable, because it was partially generated with an automatic translator.

2

Hi,

Although the approach you are describing is pretty common, we are not satisfied with the benefits it brings — it is, in fact, not two factor authentication, but still a single factor and the password complexity can anyway be enforced in Axigen as well for the main password.

The only advantage would be that these passwords are disposable, with the disadvantage that for the common user they are hard to understand and manage.

In addition, we haven’t had that much feedback from other customers asking for this.

This being said, we haven’t yet made a decision on whether or not to implement it. I suggest you add it as an idea here: https://axigen.uservoice.com/ as it might be upvoted and commented on and we’ll further monitor it.

3

… okay, I understand …

Could you tell me the benefit of Axigen’s 2FA approach or why do you choose this way? As described above, I think this has no benefit compared to “no 2FA” because it is only enforced for webmail and all other ways I can use Axigen is without 2FA (SMTP, IMAP, Activesync…) - so why should I use (as attacker) webmail which is secured instead of the unsecured ways which are often also exposed to the internet?

Thanks a lot