EmailDiscussions.com - View Single Post

gecko · 2 Feb 2017, 08:51 PM

Hello Dave,

Thanks for the update!

After a brief look at the new features, everything looks great and seems to work as it should.

One thing I noticed is that when 2FA is enabled, each login appears twice in the login history (maybe 1 line added when the password is recognised and 1 more when the correct OTP is entered?).

Not wanting to cavil about the brand new 2FA functionality, so please allow me one more comment: IMHO it would make sense to secure more settings pages with the need to enter the password (and probably a new OTP token), e.g. all the pages under "Account" as well as the "Webmail preferences" page. Alternatively, one could have the one "real" password which should only be used on trusted machines, giving full access to the account vs a combination of OTP & an OTP-specific password. When logging in with OTP, no settings are available.

A long time ago I was a FM customer and I faintly remember that they disabled (or at least allowed disabling) access to all options when logging in with an OTP.

Don't get me wrong, these are just suggestions on how security could be improved even further. But the 2FA as it is now is a huge step forward. Thanks so much!

Best regards
gecko

2 Feb 2017, 08:51 PM	#5
gecko Senior Member Join Date: Feb 2010 Posts: 107	Hello Dave, Thanks for the update! After a brief look at the new features, everything looks great and seems to work as it should. One thing I noticed is that when 2FA is enabled, each login appears twice in the login history (maybe 1 line added when the password is recognised and 1 more when the correct OTP is entered?). Not wanting to cavil about the brand new 2FA functionality, so please allow me one more comment: IMHO it would make sense to secure more settings pages with the need to enter the password (and probably a new OTP token), e.g. all the pages under "Account" as well as the "Webmail preferences" page. Alternatively, one could have the one "real" password which should only be used on trusted machines, giving full access to the account vs a combination of OTP & an OTP-specific password. When logging in with OTP, no settings are available. A long time ago I was a FM customer and I faintly remember that they disabled (or at least allowed disabling) access to all options when logging in with an OTP. Don't get me wrong, these are just suggestions on how security could be improved even further. But the 2FA as it is now is a huge step forward. Thanks so much! Best regards gecko