I’ve continued my search and looking back my post do look weird.
I did not want to make a rant post, so let’s switch back to something discussion and constructive.
I understand that … somewhere there has to be a way to authenticate a device and keep a token/identifier of some soft to keep being able to connect to the mail server and refresh email automatically.
The device needs to keep something…
Previously, that was to keep the username and password on the device. This has been replaced by method that will still keep those token/identifier, but can provide a stronger authentication or is unique to the device. So some example
oAuth 2.0 provided by gmail, office 365, yahoo etc will allow a user to authenticate on the provider with their user&password, any any other 2FA method, being totp, yubikey, u2f, fido2/webauth or passkey. The device will then keep a secret identifiant to maintain the connection. Here by requiring a security key to connect, the connection is more secure and trustworthy than just having a user&pass combinaison. It is more trustworthy because of that totp interactivity or the fido2 hardware token that can’t be faked.
Devices control / which device has access
Devices are authenticated individually and have each an individual token to refresh emails. This feature also allow to view which device are connected to an account. In the provided admin pages, you can see which device are connected, since when, last connection and disable a specific device, in case you lost it or something.
When connecting a third party application, the user will also need to consent to give the third party app access to various right, read email, send email, read calendar. This is way better than giving a username & password to an app to access the imap and pop server, but otherwise any other feature of the online account, including billing (name, address), account deletion or other.
Basically it provide the AAA Authentication, Authorization and Accounting
Before oAuth 2.0, email provided offered application password, for those app that were not using the latest protocols to connect to the provider.
- It could not provide 2FA or otherwize, but allowed to have super strong password of 50 characters or more for each app.
- It provided individual access and a way to revoke a specific device, by revoking a specific password
- provided some soft of permission management / restriction by providing a different password for just a specific service like imap and pop3, that prevent access to other feature of the online account like billing, deletion.
From what I understand, only the big provider offer oAuth2.0, no other email provider offer it and not all mail application support it. That’s disapointing, as other2 features are nice.
And now I’m looking at other provider like mailbox dot org, and from what I can understand from reading this forum
- no application password. There is the imap password shared across all devices and the account password for webmail+2fa
- device control : haven’t create an account, but since all device share the same password, probably not implemented
- at least a separation between email and control with their single imap password.
I fee like I have the choice between the “no privacy but good security”, “full privacy and security, but no compability (proton, tuna)”, “privacy but meh security”.
But perhaps there is something that I am missing, maybe I misunderstand some concept or perhaps I am too critical ?
Or are some people more knowledgeable than me on the various privacy offering that could recomment diffent provider that provide a little more that mailbox listed in privadyguide list?
I said yubikey proprietary to differenciate between their two offering.
Yubikey offer “YubiKey 5 Series” as well as their “Security Key Series”. YubiKey 5 Series is multi-protocol and support otp,smartcard,pgp and other as well as all the fido2, while the security key only support u2f/fido2/webauth/passkey.
In their documentation, mailbox say "These YubiKeys are authenticated against a YubiKey server that we operate in our data center. " So these are for the the yubikey 5 series and not for the yubikey security key. / u2f/fido2 Let me know if this is more clear.
skiff, I might be mistaken. I checked 10 provider and could not find documentation with little time if it supported 2fa without creating account. Most website clearly mention it in their documetation/suport site.
My initial post may not be the best, I was looking for something better than just that 1 main password for all your devices. I’ve written some example for oAuth 2 and multiple password above.