EmailDiscussions.com - View Single Post - Two-Factor Authentication Details?

gecko · 14 Mar 2018, 04:15 AM

1) Before I enable 2FA, I should enable, define, and install in Outlook distinct "APP passwords" for both POP3 and SMTP (so that I can access my email even if I can't login to Webmail). "POP3" and "SMTP" would be the names to use in the "enter app/device" box. Correct? This pair would be the same across all email (sub-)accounts. Correct?

Your "master" account password is the one you use for webmail. App passwords can be used for any type of access which is not webmail. Their names do not need to "make sense". You can call them whatever you want as long as you know what it should be used for. E.g. you could call one app password "desktopathome" and use it for retrieving mail via POP3 and sending mails via SMTP. Another app password could be "laptop" and be used likewise.

2) On enabling 2FA, I should immediately generate and install an unlock code that can be filed against disaster.

That makes sense but you don't have to.

a) In spite of the instructions ("The codes are generated by a free app that you download onto your smartphone or computer." [emphasis mine]) TOTP appears not available to me because no recommended APP is listed for Windows 7. Am I missing something here?

I believe yes. The idea of TOTPs is that you use a /different, independent/ device for generating the TOTPs and actually logging into your email account. That way, if your computer is compromised, the adversary will not know the next TOTP whereas this security mechanism would be in vain if the TOTPs were generated on your compromised device. To make a long story short: Ideally, you'd be using a mobile phone or tablet to generate the TOTPs you then use on your computer.

b) If I can use TOTP, then what is this "secret key" that must be entered into the APP to generate the TOTP and how do I use it?

The "secret key" is a seed (a random number) you enter into your TOTP app /once/. From that moment on, your app will generate individual TOTPs for you without your having to enter the secret again (unless you reinstall the app or want to use a different device for generating the TOTPs).

c) For TOTP it would then appear to be a many-step process: Run the APP; enter the "secret key;" generate the TOTP; copy and paste that into the login (somehow); then enter username and password. (Or perhaps the last two steps are reversed?). Is this the basic idea? If so it must be executed quickly since the passwords are only valid for 30s (or less)!

Not really. See above - configuring the app is a one-off effort. Logging in works like that: enter username -> enter password -> enter 6-digit TOTP.

d) If TOTP doesn't work for me, then it appears OTP is my only option, since "Trusted Browsers" never appear to work in other contexts because I always run my browser inside a sandbox.

As long as you do not delete your cookies, your trusted browser can run just fine inside a sandbox.

4) The login process with 2FA: Do you have to enter the TP before or after the username and password? How long does this login remain valid before the system requires a new one (and new TP)?

See above. AFAIK a webmail session is valid for a couple of hours (4?).

5) This 2FA process applies only to Webmail or Account login, as there's no opportunity for in in POP2. Correct?

Not sure. Can anyone elaborate on this?

6) What about Webmail logins for sub-accounts? Does this also require 2FA (if it's enabled in the main account), or are they set up and enabled separately? In the latter case, are distinct APP passwords, TPs, etc. defined there?

The main account security settings are entirely independent from those of the sub accounts. All accounts can be configured individually.

Again, I hope I could help. Please correct me if I am wrong somewhere.

Regards,
gecko

14 Mar 2018, 04:15 AM	#2
gecko Senior Member Join Date: Feb 2010 Posts: 107	1) Before I enable 2FA, I should enable, define, and install in Outlook distinct "APP passwords" for both POP3 and SMTP (so that I can access my email even if I can't login to Webmail). "POP3" and "SMTP" would be the names to use in the "enter app/device" box. Correct? This pair would be the same across all email (sub-)accounts. Correct? Your "master" account password is the one you use for webmail. App passwords can be used for any type of access which is not webmail. Their names do not need to "make sense". You can call them whatever you want as long as you know what it should be used for. E.g. you could call one app password "desktopathome" and use it for retrieving mail via POP3 and sending mails via SMTP. Another app password could be "laptop" and be used likewise. 2) On enabling 2FA, I should immediately generate and install an unlock code that can be filed against disaster. That makes sense but you don't have to. a) In spite of the instructions ("The codes are generated by a free app that you download onto your smartphone or computer." [emphasis mine]) TOTP appears not available to me because no recommended APP is listed for Windows 7. Am I missing something here? I believe yes. The idea of TOTPs is that you use a /different, independent/ device for generating the TOTPs and actually logging into your email account. That way, if your computer is compromised, the adversary will not know the next TOTP whereas this security mechanism would be in vain if the TOTPs were generated on your compromised device. To make a long story short: Ideally, you'd be using a mobile phone or tablet to generate the TOTPs you then use on your computer. b) If I can* use TOTP, then what is this "secret key" that must be entered into the APP to generate the TOTP and how do I use it?* The "secret key" is a seed (a random number) you enter into your TOTP app /once/. From that moment on, your app will generate individual TOTPs for you without your having to enter the secret again (unless you reinstall the app or want to use a different device for generating the TOTPs). c) For TOTP it would then appear to be a many-step process: Run the APP; enter the "secret key;" generate the TOTP; copy and paste that into the login (somehow); then enter username and password. (Or perhaps the last two steps are reversed?). Is this the basic idea? If so it must be executed quickly since the passwords are only valid for 30s (or less)! Not really. See above - configuring the app is a one-off effort. Logging in works like that: enter username -> enter password -> enter 6-digit TOTP. d) If TOTP doesn't work for me, then it appears OTP is my only option, since "Trusted Browsers" never appear to work in other contexts because I always run my browser inside a sandbox. As long as you do not delete your cookies, your trusted browser can run just fine inside a sandbox. 4) The login process with 2FA: Do you have to enter the TP before or after the username and password? How long does this login remain valid before the system requires a new one (and new TP)? See above. AFAIK a webmail session is valid for a couple of hours (4?). 5) This 2FA process applies only to Webmail or Account login, as there's no opportunity for in in POP2. Correct? Not sure. Can anyone elaborate on this? 6) What about Webmail logins for sub-accounts? Does this also require 2FA (if it's enabled in the main account), or are they set up and enabled separately? In the latter case, are distinct APP passwords, TPs, etc. defined there? The main account security settings are entirely independent from those of the sub accounts. All accounts can be configured individually. Again, I hope I could help. Please correct me if I am wrong somewhere. Regards, gecko