EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > Runbox Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

Runbox Forum Everything related to Runbox should go here: suggestions, comments, complaints, questions, technical issues, etc.

Reply
 
Thread Tools
Old 13 Mar 2018, 09:10 PM   #1
jclarkw2
Junior Member
 
Join Date: Mar 2018
Posts: 21
Two-Factor Authentication Details?

I apologize for the lengthy post, but I have many detailed questions on this topic.

I've read over the Documentation, but I still don't fully understand the process, especially in the context of Sub-accounts. Background: I don't use a smartphone, so I will be both logging into Webmail (from a sandboxed browser, or perhaps on some public computer) and using POP3/SMTP through Outlook 2013 on my laptop only. Maybe most of this becomes clear during the setup process, but I'm afraid to start it without full understanding because the actions appear to be immediate -- not cancell-able before activation.

1) Before I enable 2FA, I should enable, define, and install in Outlook distinct "APP passwords" for both POP3 and SMTP (so that I can access my email even if I can't login to Webmail). "POP3" and "SMTP" would be the names to use in the "enter app/device" box. Correct? This pair would be the same across all email (sub-)accounts. Correct?

2) On enabling 2FA, I should immediately generate and install an unlock code that can be filed against disaster.

3) Then I should choose the type of 2FA I will use:

a) In spite of the instructions ("The codes are generated by a free app that you download onto your smartphone or computer." [emphasis mine]) TOTP appears not available to me because no recommended APP is listed for Windows 7. Am I missing something here?

b) If I can use TOTP, then what is this "secret key" that must be entered into the APP to generate the TOTP and how do I use it?

c) For TOTP it would then appear to be a many-step process: Run the APP; enter the "secret key;" generate the TOTP; copy and paste that into the login (somehow); then enter username and password. (Or perhaps the last two steps are reversed?). Is this the basic idea? If so it must be executed quickly since the passwords are only valid for 30s (or less)!

d) If TOTP doesn't work for me, then it appears OTP is my only option, since "Trusted Browsers" never appear to work in other contexts because I always run my browser inside a sandbox.

4) The login process with 2FA: Do you have to enter the TP before or after the username and password? How long does this login remain valid before the system requires a new one (and new TP)?

5) This 2FA process applies only to Webmail or Account login, as there's no opportunity for in in POP2. Correct?

6) What about Webmail logins for sub-accounts? Does this also require 2FA (if it's enabled in the main account), or are they set up and enabled separately? In the latter case, are distinct APP passwords, TPs, etc. defined there?

Sorry again for the barrage of questions. Maybe the documentation could be improved a bit? -- jclarkw2
jclarkw2 is offline   Reply With Quote

Old 14 Mar 2018, 05:15 AM   #2
gecko
Senior Member
 
Join Date: Feb 2010
Posts: 107
1) Before I enable 2FA, I should enable, define, and install in Outlook distinct "APP passwords" for both POP3 and SMTP (so that I can access my email even if I can't login to Webmail). "POP3" and "SMTP" would be the names to use in the "enter app/device" box. Correct? This pair would be the same across all email (sub-)accounts. Correct?

Your "master" account password is the one you use for webmail. App passwords can be used for any type of access which is not webmail. Their names do not need to "make sense". You can call them whatever you want as long as you know what it should be used for. E.g. you could call one app password "desktopathome" and use it for retrieving mail via POP3 and sending mails via SMTP. Another app password could be "laptop" and be used likewise.

2) On enabling 2FA, I should immediately generate and install an unlock code that can be filed against disaster.

That makes sense but you don't have to.
a) In spite of the instructions ("The codes are generated by a free app that you download onto your smartphone or computer." [emphasis mine]) TOTP appears not available to me because no recommended APP is listed for Windows 7. Am I missing something here?
I believe yes. The idea of TOTPs is that you use a /different, independent/ device for generating the TOTPs and actually logging into your email account. That way, if your computer is compromised, the adversary will not know the next TOTP whereas this security mechanism would be in vain if the TOTPs were generated on your compromised device. To make a long story short: Ideally, you'd be using a mobile phone or tablet to generate the TOTPs you then use on your computer.

b) If I can use TOTP, then what is this "secret key" that must be entered into the APP to generate the TOTP and how do I use it?

The "secret key" is a seed (a random number) you enter into your TOTP app /once/. From that moment on, your app will generate individual TOTPs for you without your having to enter the secret again (unless you reinstall the app or want to use a different device for generating the TOTPs).

c) For TOTP it would then appear to be a many-step process: Run the APP; enter the "secret key;" generate the TOTP; copy and paste that into the login (somehow); then enter username and password. (Or perhaps the last two steps are reversed?). Is this the basic idea? If so it must be executed quickly since the passwords are only valid for 30s (or less)!

Not really. See above - configuring the app is a one-off effort. Logging in works like that: enter username -> enter password -> enter 6-digit TOTP.

d) If TOTP doesn't work for me, then it appears OTP is my only option, since "Trusted Browsers" never appear to work in other contexts because I always run my browser inside a sandbox.

As long as you do not delete your cookies, your trusted browser can run just fine inside a sandbox.

4) The login process with 2FA: Do you have to enter the TP before or after the username and password? How long does this login remain valid before the system requires a new one (and new TP)?

See above. AFAIK a webmail session is valid for a couple of hours (4?).

5) This 2FA process applies only to Webmail or Account login, as there's no opportunity for in in POP2. Correct?

Not sure. Can anyone elaborate on this?

6) What about Webmail logins for sub-accounts? Does this also require 2FA (if it's enabled in the main account), or are they set up and enabled separately? In the latter case, are distinct APP passwords, TPs, etc. defined there?

The main account security settings are entirely independent from those of the sub accounts. All accounts can be configured individually.

Again, I hope I could help. Please correct me if I am wrong somewhere.

Regards,
gecko
gecko is offline   Reply With Quote
Old 14 Mar 2018, 08:34 AM   #3
jclarkw2
Junior Member
 
Join Date: Mar 2018
Posts: 21
Quote:
Originally Posted by gecko View Post
...
5) This 2FA process applies only to Webmail or Account login, as there's no opportunity for in in POP2. Correct?

Not sure. Can anyone elaborate on this?...
gecko
I think you covered everything except this one (which I'm pretty sure can't be done). Thanks again! -- jclarkw2
jclarkw2 is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 07:32 PM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy