It seems enabling 2FA with IMAP supported email services prevents adversary from accessing your account if they compromise your password, but it doesn’t prevent them from accessing your emails through IMAP clients.
It seems Proton bridge was setup as a solution to this, but it’s not clear how exactly it does it?
I watched a video which showed how the bridge provides IMAP password which are inputted into the external client. But couldn’t this be compromised as easily as the standard password?
When exactly does the 2FA need to be inputted? When downloaded the bridge? When connecting the bridge to the client? Every time I wish to access mail within the client? If I setup the bridge on PC, can I use it to connect to a client on my phone?
Enter IMAP login details from bridge into email client on device Y (without 2FA).
If so, I don’t see how the bridge boosts security. I presume the only login details which are unique for each account are the email address itself and the password.
An adversary who wishes the compromise the email address could equally try to brute force the password provided by the bridge, in much the same way they would brute force the user-created password for the account.
I’m afraid my question still isn’t answered, which is whether the Proton bridge mitigates against IMAP brute force attacks (other providers do not support IMAP, or they allow users to block access to mail through IMAP, because it cannot IMAP cannot be integrated with 2FA)
No, that wouldn’t work. What bridge does is it starts listening on localhost 1143 & 1025 (by default) ports for your e-mail client(s) to communicate. It ignores all other connections to these ports that do not originate from localhost. Communication between the e-mail client and the bridge uses opportunistic TLS (STARTTLS), and the communication between the bridge and proton mail servers uses implicit (strict) TLS. The bridge authenticates using proton’s secure remote password protocol, so your password never leaves your machine (it is HASHED and SALTED and stored in system’s keychain. It just creates an access token using your password locally and authenticates using the access token. The access token lives on your machine’s memory. Also, bridge downloads the encrypted versions of your PGP private keys and unlocks them, but they are not stored by the bridge itself. They are placed in computer memory.
If your device is compromised, there’s nothing you can do to secure the data (like your e-mails) that are stored on or can be accessed from your device. The bridge itself is plenty secure.
TL’DR
Proton bridge requires 2FA to be setup on a device, and can only connect to email clients on the same device as it relies on local communications.
Proton therefore implements 2FA for mail access through IMAP, which for other email providers is a weakness.