topic Re: 2-Factor authentication on webmail in Email

2-Factor authentication on webmail

mflanagan — Fri, 14 Feb 2025 05:33:17 GMT

Please could someone advise how to set this up on webmail? All serious platforms these days have an MFA option, but I just can't see one with Plusnet.

Re: 2-Factor authentication on webmail

jab1 — Fri, 14 Feb 2025 09:44:16 GMT

Out of interest, why would you need 2FA on webmail?

Re: 2-Factor authentication on webmail

mflanagan — Fri, 14 Feb 2025 10:17:25 GMT

Are you kidding? Why WOULDN'T you want it?! Think of the havoc someone could wreaking they gained access to your mailbox...

Re: 2-Factor authentication on webmail

jab1 — Fri, 14 Feb 2025 10:23:41 GMT

As they need to know your account name and (presumably secure) password, what is the actual, rather than theoretical, risk?

I have been using mail accounts for about 30 years - since W95 - and have never been compromised yet.

Re: 2-Factor authentication on webmail

Townman — Fri, 14 Feb 2025 10:37:07 GMT

Best practice around passwords - make them unguessable, long, not words and change then regularly makes 2FA somewhat nugatory.

Clearly where password management does not follow best practice, such as using your birthday, pet’s name, favourite football team all in plain text … some will seek other forms of protection, which invariably are burdensome.

I do not know of a 2FA on any webmail service. I also see a dire catch22 situation with 2FA on mail access services - one should not presume possession of a mobile phone or a workable mobile coverage; many 2FA processes use email for the verification code.

This suggestion would result in not being able to access the verification code because said verification code is required to access the verification email.

Re: 2-Factor authentication on webmail

pvmb — Fri, 14 Feb 2025 13:05:11 GMT

@jab1 wrote:

As they need to know your account name and (presumably secure) password, what is the actual, rather than theoretical, risk?

Well, 'discovering' the account name is not much of a challenge with Plusnet email, is it?

Re: 2-Factor authentication on webmail

jab1 — Fri, 14 Feb 2025 13:22:25 GMT

What is mine then @pvmb ?

Re: 2-Factor authentication on webmail

mflanagan — Fri, 14 Feb 2025 14:10:29 GMT

"I have been using mail accounts for about 30 years - since W95 - and have never been compromised yet."

Haha, is that a genuine security strategy? Wow...

Anyway, back in the real world, all I wanted was an answer to my question, which I'm guessing is 'No, it isn't possible.' That's fine, that's all the info I was looking for. So long

Re: 2-Factor authentication on webmail

jab1 — Fri, 14 Feb 2025 14:15:09 GMT

@mflanagan My 'security strategy' - which you are unaware of, obviously - has kept me perfectly safe all these years, so it works.

Re: 2-Factor authentication on webmail

iannewson — Fri, 14 Feb 2025 22:26:01 GMT

Until it doesnt.

If you want to rely on on server security of an email system (that is barely supported by plusnet) to not loose your credentials then thats up to you. But for goodness sake don't dissuade others from having some common sense.

https://haveibeenpwned.com

Ive personally found some my password that ive used in the wild.

Re: 2-Factor authentication on webmail

jab1 — Fri, 14 Feb 2025 22:39:07 GMT

@iannewson As I've said previously, I have been using various ISP mail systems for ~30 years, and never had any issues. I do check for any breaches on a monthly basis as part of my own security protocol, and the only ones I have found have been the odd 'account' passwords, usually linked to sites where I suspect security could be a bit 'lax'.

Re: 2-Factor authentication on webmail

Anonymous — Fri, 14 Feb 2025 23:08:54 GMT

I'll have to slightly disagree. The most basic 2FA uses texting to supply a code (numeric or alphanumeric) using the mobile phone network. I have yet to see a 2FA which uses email for the verification code.

E-mail can be used to request a password reset link (which is quite often part of the design).

Re: 2-Factor authentication on webmail

Townman — Fri, 14 Feb 2025 23:19:05 GMT

Again presumption that everyone has a mobile phone and everyone has a decent t signal.

There are lots of websites which use email as the vehicle for 2FA verifications. The site I ordered toner from this week sends 2FA to email.

Re: 2-Factor authentication on webmail

pvmb — Sat, 15 Feb 2025 11:19:40 GMT

@jab1 wrote:

What is mine then @pvmb ?

I thought you were no longer with Plusnet? (Or was that somebody else?)

But, if you are: tell me your Plusnet email address and I'll tell you your Plusnet account name. 🙂

Re: 2-Factor authentication on webmail

jab1 — Sat, 15 Feb 2025 11:23:34 GMT

I am no longer with PN as an ISP, but I retain my membership of this forum, and my email.

Without the associated password, knowing my account name is not much use.

Re: 2-Factor authentication on webmail

Anonymous — Sat, 15 Feb 2025 21:42:52 GMT

2FA is predicated on alternate methods of authentication. If there are not then it becomes less than 2FA (IMO). Some '2FA' relies on the presumption of a smart phone (a required app to provide the 2FA). Which is a bit more secure that using e-mail, but relies on the presumption of a smart phone (a non-available method)

"The site I ordered toner from this week sends 2FA to email." Personally, I wouldn't call that 2FA. More 1.1FA?

My account on A&A (VoIP) is monitored and they'll send an alert (to the e-mail address they have registered) if they detect a sign-in to the account I hold. That isn't 2FA. That is an alert of a possible breach.

Re: 2-Factor authentication on webmail

Protech — Sun, 16 Feb 2025 16:03:55 GMT

@Townman wrote:
Again presumption that everyone has a mobile phone and everyone has a decent t signal.

That's not a strict requirement for 2FA to work.

I started using 2FA over 30yrs ago long before smart phones even existed. We used an RSA authenticator device to enable remote access from a desktop PC to support clients from home. WFH has been around for a while 🙂

While smart phones can be used as authenticator keys they are not necessary - think of the smart tokens banks have used recently. An internet connection is not needed for a hardware based authenticator to work.

Most software authenticators also work offline, some only require a periodic connection to synchronize their clocks.

Password only security, however complex the password, is risky these days, it only needs to be breached once!. It is the security of the third party's where you have used your email details that's the potential risk.

Personally i would recommend the use of 2FA where possible and most mainstream email providers now support it.It's no longer a niche product.

Even BT mail supports it!

https://www.consumersearch.com/technology/maximizing-security-bt-email-login-best-practices-tips

Re: 2-Factor authentication on webmail

Townman — Sun, 16 Feb 2025 20:01:59 GMT

I too recall authentication devices - only worked for the single service. Just goes to show there’s little which is really new.

Re: 2-Factor authentication on webmail

Anonymous — Sun, 16 Feb 2025 21:30:33 GMT

Challenge/response keypads with pre-shared keys? (still used by banking now)

Re: 2-Factor authentication on webmail

Champnet — Mon, 17 Feb 2025 12:15:25 GMT

2FA - Not much use for those of us who cannot find their mobiles....

Challenge/response keypads - Not much use for those of us who cannot find the supplied keypad....