Securing e.email with 2FA?

mio · April 28, 2021, 10:38am

I’ve successfully set up 2FA on my /e/ account and device.

However I’m wondering about the safety of emails:
https://doc.e.foundation/how-tos/two-factor-authentication#manually-setup-mail-application

Does that mean if my password is compromised, someone could access my e.email by connecting to the IMAP/SMTP server directly (not from ecloud), bypassing 2FA?

Would it be possible to secure the emails with an app password, for example? I feel reluctant to using e.email without a second layer of protection.

Regain your privacy! Adopt /e/ the unGoogled mobile OS and online services phone

Scytale · April 28, 2021, 12:22pm

I’m not sure but I think this happens when you activate 2FA:
Enabling 2FA locks you out of every application which does not support a second input field like a 2FA TOTP. For these applications you need to create a special “application-password”. This is a seperate password which allows access to e-cloud without 2FA TOTP, but it cannot be used to login via Browser and access any settings as you need to authenticate with the real password and TOTP.

You also have a login history of your devices, so you can detect if an application you don’t know log in to your account.

Other email provider have the same problem mit IMAP, some give you the option to disable access with any other app than a browser.

mio · April 28, 2021, 12:56pm

App passwords do work as intended with eCloud apps, but can we set one for the email account?

I just tried adding my @e.email in a client, all that’s needed are the address and password.

So even though my eCloud is secured with 2FA (settings, files, calendar etc.), the email account (IMAP/SMTP) can be accessed with one factor only.

JOduMonT · May 8, 2021, 2:22pm

It would be very nice to increase the security with TOTP, this is a big missing feature.
Do you know where we could request feature ?

Scytale · May 8, 2021, 2:59pm

TOTP is available, but not for IMAP/POP3 email clients.

JOduMonT · May 8, 2021, 5:21pm

yes I understand that, just to be sure, the webmail client is only Rainloop under nextcloud right ?

FeliceMente · July 17, 2021, 7:48pm

I really like the service, but having the email without 2-factor authentication is very bad. It would be great if it could inherit Nextcloud 2-fa (I even use it with an hardware device, with password specific apps and so on…) but, it this is not possible, having at least the possibility of setting client specific aps just for the email part would be a good thing.