On Tue, Jun 12, 2018 at 09:45:50AM -0500, Hokan wrote: > I use LastPass CLI to present my password. I have LastPass protected with > 2FA. > > My .muttrc contains a line like this: > set imap_pass="`/usr/local/bin/lpass show --password myname@mydomain || sleep > 1`" > and > set smtp_pass=$imap_pass > > and that works for me.
It should be pointed out that this is not really 2FA at all. If I have your actual user credentials (username & password), say because I got root access to the machine where you run Mutt and snarfed them out of memory, this scheme does nothing to prevent me from using them directly, completely bypassing any 2FA on LastPass. With respect to the resource to which your credentials give access, there's no second factor. LastPass is just acting as a proxy for your brain. The only actual effect it has is to complicate (in a technical sense) the retrieval of your single authentication factor from your "memory" (i.e. LastPass' password store)--making it arguably less secure, not more (because more potential points of failure mean a higher chance something will break, preventing you from being able to access your mail). All the security in the world does you no good if the resources you're protecting are unavailable to legitimate users. The point of 2FA is to prevent the scenario where an attacker gets your credentials (user & password, or "the thing you know"), allowing them to gain access. Examples of how this would be 2FA is if your IMAP server *additionally* required a cryptographic certificate, hardware token, sent you a text to your phone, etc.--something that only *you* should have physical access to. Inability to access that physical thing (your second authentication factor) still prevents access, even though your credentials are compromised (known by someone other than yourself). Like your scheme, this also increases complexity, but unlike your scheme, it additionally provides a real increase in security--making the extra complexity involved (arguably) justified. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 -=-=-=-=- This message is posted from an invalid address. Replying to it will result in undeliverable mail due to spam prevention. Sorry for the inconvenience.
pgpKYJ0UMvI_j.pgp
Description: PGP signature
