Hi ISPConfig community! I run a server with ISPConfig, Debian, Dovecot, Postfix and Roundcube. Roundcube supports 2FA by plugins (twofactor_gauthenticator or twofactor_webauthn). Now my concern is the following: A user with enabled Roundcube 2FA logs in on an unsecure device and his or her password gets stolen. The attacker is now and in future able to login with IMAP or SMTP because there is no 2FA for imap. Does someone have a setup which provides more security? Perhaps application specific passwords could be a way: A safe, complex IMAP and SMTP Password which is only stored in secure devices and a second, memorizable password which is only used for roundcube with 2FA. Thanks for your thoughts... Gerd from Gießen
For 2FA, do you want to keep the authenticator hosted on your network or do you plan to integrate a ready service or even think of something like google authenticator - which in turn is not free. https://www.keycloak.org/ https://goauthentik.io/ https://www.authelia.com/ would be some starting points to look at for IDM solutions. This is obviously not an easy task. But depending on your liking, planning, situation the solution may differ.
If a device of the user gets stolen, then the user can simply change the password of his mail account. Yes, he will have to change it in other devices then as well, but how many devices does one use for email? I guess most users will use about 1-3 devices. And normally your device has a password on its own or fingerprint reader, so someone must break that first before he can even access the mail client. And how often does it happen? I guess not very often. So you should consider if it's worth the work to make your setup more error-prone and complicated by implementing something like this.
Hi Till, You got me wrong here: I was not thinking of a stolen device, but of a stolen password by logging into roundcube on a insecure Computer. I think this not so unlikely. But your conclusion: is of course right. Yours, Gerd
I don't think it is possible to find a sufficient solution. People should not log in from unkown or unsecure devices. Same goes for phising mails and entering credentials. I get your point but i dont think you will find a viable solution in this case except making the users more aware
