Reply to post: Re: Email != Webmail

UK Parliament hack: Really, a brute-force attack? Really?

coconuthead

Re: Email != Webmail

@beddo: I don't know what you mean by "2FA password", but I assume it's the token. And it is *not required at all* with an application password. The "something you have" is the device itself, which is why a separate application password is issued for each device and not recorded (you copy it straight into the device and then close the web page that generated it).

In my case, the 2FA token is valid for only around a minute, because it uses TOTP. I log in weekly using the web interface to have a look at the spam folder and to read some less important messages that I sort to IMAP folders using a server-side sieve script. Normally I read mail on a desktop using a client which has an application password twice daily, and I don't need my phone near me for a TOTP token. If the machine were to be stolen, it could not be used to access my email, because when I'm away it's locked using my Mac login password, and this "locks" the encrypted macOS keychain on which the mail client stored the application password. Although my Mac login password is reasonably strong, it still needs to be memorable so isn't as strong as some others I use. So, if the machine is stolen, the reasonable login password should slow the perpetrator down long enough for me to invalidate the application password using the server's web interface and I'm golden. And after I do that, I can still use all my other devices (and their application passwords), or my master password and TOTP, to read my mail.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon