So many providers without 2FA?

[TenFour]

I happened to purchase a new domain the other day and decided to try a free trial of the domain registrar's hosted email. Easy to set up, not bad webmail, inexpensive, but no 2-factor authentication. It got me to thinking how 2FA is an absolute must-have in today's email world. Then I started looking around and I noticed a fair number of other services lack 2FA. Migadu email is one that has interested me and I might be willing to give it a whirl, but it lacks the basic, required functionality of 2FA. Outside of email I would never dream of using an ATM card that didn't include PIN protection, or an investment or bank account without 2FA. Email is of similar security importance. What are these companies thinking?

[FredOnline]

Quote:

Originally Posted by TenFour

I happened to purchase a new domain the other day and decided to try a free trial of the domain registrar's hosted email.

I have a few domains hosted with Gandi, so I could take advantage of their free webmail:

https://www.gandi.net/en/domain/email?country=US

There is a downside here also, in that 2FA isn't currently available, although it has been pointed out to me previously here in the forum that with 2FA on your domain account, you do have some measure of control to help prevent a hijacking. Probably the best way is to have an outrageously long complicated password to help protect the e-mail account.

[TenFour]

The problem isn't password guessing or brute force attacks. Most account hacking is due to phishing and stolen passwords. Without 2FA it doesn't matter how strong your password is if they have it. I would be wary of any email service that doesn't include 2FA, because it shows they don't take your security seriously. I wonder how careful they are in storing all those passwords too?

[SideshowBob]

Quote:

Originally Posted by TenFour

The problem isn't password guessing or brute force attacks. Most account hacking is due to phishing and stolen passwords. Without 2FA it doesn't matter how strong your password is if they have it. I would be wary of any email service that doesn't include 2FA, because it shows they don't take your security seriously. I wonder how careful they are in storing all those passwords too?

My understanding is that they don't store passwords, they store salted-hashes. If an attacker gains access to a database that stores this information, they can only get the weaker passwords. Once they have a list of username/weak password pairs, they can try the same or similar combinations on other online services.

[TenFour]

Quote:

My understanding is that they don't store passwords, they store salted-hashes.

I'm sure the good ones do, but how do you know how careful they are? On the other hand, I once worked for a large email service provider and I could access almost all customer data in plain text very easily. I wouldn't be surprised at all if security was not the best at many providers.