Quote:
Originally Posted by ioneja
+1 agree completely. This was delayed excessively IMO when it could have been rolled out in stages to different services. And to reply in advance to Geir before he suggests that they wanted to implement a comprehensive 2FA service (which I admire the ambition), he should be aware that there are tons of people who exclusively use webmail, for example, so it would have been perfectly useful just for that service first.
|
I cannot resist correcting this, even though it has been said before.
Rolling out 2FA to webmail without taking care of other services would have been security theater (which is admittedly quite popular these days), but nothing more than that. Anybody capturing your password while you were happily logging in to your webmail using 2FA would then have been able to access your account using IMAP. Not what you want.
To safely offer 2FA for webmail and nothing else would have meant either implementing functionality to disable everything but webmail for people who want 2FA (code which would be pretty useless after the completion of the project), or changing the authentication system to permit use of different passwords for webmail with 2FA and other services without 2FA (which is basically what Runbox is doing).
If you have so little manpower that a project such as this one takes years, it really does not make sense wasting time to implement code you're going to throw away later. And assuming that with the spread of smartphones an increasing number of people is going to use an email client instead of webmail at some point of time, any useful 2FA solution must eventually be able to cater to those.