EmailDiscussions.com - View Single Post

ioneja · 1 Jun 2022, 11:42 PM

Quote:

Originally Posted by truemagic

Hence I'm with mailbox.org now and making use of FairEmail client which is near perfect. However I'm worried about their poor implementation of MFA/2FA whereby it only makes you enter 10 alphanumeric pin+token for logins, once you activated One Time Password (OTP). I'm not sure if I want to continue using mailbox.org but seriously I like the @secure.mailbox.org alias they offer which forces everything you send and receive in encrypted TLS/SSL.

I'm not a fan of the MFA/2FA implementation at mailbox.org either, but technically, let's be honest, 10 characters, even just numerals, amounts to 10 billion+ possibilities, and the password changes each time interval due to the token changing each time interval, and still a hacker would realisitically need both factors to get in... so the Mailbox.org devs probably ran the probabilities and the chances of getting in are infinitesimal, especially since they most likely have login fraud detection with some number of failed logins as a threshold... so how many failed login attempts would lock your account? Or how many tries would a hacker need to get in? Certainly not enough to beat the odds of getting one in 10 billion+ at 10 characters.

But I agree with you, it is an odd MFA/2FA implementation that doesn't inspire immediate confidence at 10 characters with TOTP, which is what I assume you are using. HOWEVER, you can use Yubikey, and that greatly extends the length of the MFA/2FA password, so there's a solution for you. Again, I assume you are using TOTP to get 10 chars (4+6). Yubikey is much much much much better in this case. I believe it is 40+ characters....

Quote:

Originally Posted by truemagic

Maybe I should try Mailfence next?

As for comparing the three -- Tutanota, Mailbox.org, Mailfence, I like all three, and I would currently "trust"* all three (*trust inasmuch as "trust" should be given to any email provider). Each service has strengths/weaknesses, but they are all good IMO, and on my personal short list of trusted providers right now. You just have to balance what things you want/need/prefer. YMMV. Good luck!