Quote:
Originally Posted by BritTim
...... - Being security conscious, I require 2-factor authentication for web log ins. This protects me well when an attacker is kind enough not to use IMAP.
- My master password is compromised (not too surprising when I am required to use it everywhere on a daily basis).
- An attacker can now just set up an IMAP connection using mail.messagingengine.com and my master password with no second factor required for access.
|
Once 2FA has been selected on an account, this is not possible is it - logging in via IMAP using only the master p/w?
Quote:
|
One solution to this would be to insist that application passwords always be used by everyone for IMAP access. .
|
Isn't this the current (new) situation once 2FA has been selected on an account?
If you want to set up an IMAP client you will need an App password.
Eg I tested this trying to set up an account on Thunderbird, but I could not log in using only my master p/w. I had to create an App p/w.