On Wed, 18 Apr 2012, Michael M Slusarz wrote:
Quoting Simon Brereton <simon.brere...@buongiorno.com>:
Hi
Are you planning to implement 2-step authentication in the next Horde
release?
http://www.codinghorror.com/blog/2012/04/make-your-email-hacker-proof.html
It would be relatively trivial so long as a mobile app can be written
(and that could be done in html5, so it shouldn't need to be device
dependent).
Generally, I find Atwood's blog posts interesting and informative. But this
article is just garbage.
2-step authentication provides no more security than enforcing minimum
password lengths, non-dictionary passwords, and/or expiration dates. Not to
mention that you are now introducing MORE avenues where the authentication
chain can break down: the more complex a system, the more attack points there
are.
And labeling his article "Make your email hacker proof?" He's just playing
on FUD.
This two-step authentication is just Google marketing fluff. Can't believe
he is eating it up like this.
I'm not sure where you are getting your information from - unless you
think Google's 2-step verification via a cell phone is not actually
2-factor authentication? Since a hacker won't have access to your phone,
they cannot retrieve the one-time PIN generated by Google and sent to your
phone.
As to how Horde might implement 2-factor authentication, I don't know. I
think most people are using IMP (IMAP) authentication for Horde, so that
would require your IMAP server use 2-factor auth and somehow pass both a
password and a one-time PIN along.
However, Horde could implement 2-factor auth on top of IMAP. For example,
require the user to enter their username and password, then generate a
one-time PIN, send it to their cell phone (kinda hard to do in a generic
fashion), and verify the PIN before allowing entry to Horde applications.
Sending an SMS message to an arbitrary cell phone number is hard though.
Most providers have email-to-SMS gateways, but that requires getting more
information from the user than just their cell phone number. You need to
know their carrier in order to lookup the email gateway from a list, or
the user must provide the full email-to-SMS gateway email address for
their phone. Sending "real" SMS messages requires getting a special cell
card from a carrier and signing a contract saying how many messages you'll
be sending.
Andy
--
imp mailing list
Frequently Asked Questions: http://wiki.horde.org/FAQ
To unsubscribe, mail: imp-unsubscr...@lists.horde.org
