Why private email provider have lacklusting 2FA security?

I’ve been looking for a few years to migrate out of my email provider to a more privacy centric provider and a specific situation never change : the 2fa security that “privacy” provider offer are often bad/very old.

Let’s get straight to it with the most recommended service on the net
ProtonMail : support fido2, but only for the website. took them soo many years. The android app require a 2FA TOTP code. You cannot only have a security key.
Tutanota : u2f and totp. Happy to find that android does support u2f now. Will need to test it if I can only have a security key.
Skiff mail : totp. 2fa is not mentionned except in the white paper. It’s TOTP only.
mailbox.org : yubikey, totp
posteo.de: totp
mailfence : totp
startmail : totp
runbox : totp, otp
countermail : totp
Kolab Now : totp

As you can see, usually website only support totp. The few that support more than that support either old method (U2F 2014), proprierary (Yubikey). Only one support FIDO2 2017). None provide Passkey. TOTP is the baseline. It’s not user friendly and better solution has been developped. Any U2F, Fido2/WebAuth, PassKey would be better.
Those that provide better than totp often does not support that on their android client (talking about you Proton) or cannot have only a security key.

I can only compare that to non private email provider with better security. Gmail has supported U2F, Fido2/WebAuth for a long time. Now it’s PassKey. Zoho mail support fido2. Microsoft 365 support u2f and fido.

To use a “private email provider”, I would need to lower my security. I don’t understand why these website put so much effort on the privacy and E2EE but cannot provide a better security to authenticate and protect unauthorized login. I’d like to migrate… but I’d like to be able to only use a security key or webauth, and it’s never been possible.
So two discussion point

  1. why no recent and user friendly 2fa ?
  2. am I too hard to wanting to only use a security key for a “secure and private” mail provider? I know that security and privacy are two different thing. Gmail is not private but very secure.

If someone can recommand an email provider that support security key but also support classic email client (using failEmail) that would be awesome. I found zoho and it looked perfect, lots of feature, fido2 and imap, but then I found it’s not so private… So back to square zero in my current non private provider.

Tutanota : u2f and totp. Happy to find that android does support u2f now. Will need to test it if I can only have a security key.

Tutanota works with only security keys, no problem.

confused as to why you think totp = lackluster/bad. is it because it isn’t phishing resistant like fido?

edit: seems like security keys can be used @ skiff - Reddit - Dive into anything

I feel like I have them on my skiff account but not able to check ATM.

Skiff do support security keys, i know, i just registered 1-2 days ago, what makes me not completely belive in other statements in the lead post!
Also writing

leads me to the question: do you even know what the “yubukey supports (and being supperted by) the sites” mean?

1 Like

Hello all,
I’ve continued my search and looking back my post do look weird. :slight_smile:
I did not want to make a rant post, so let’s switch back to something discussion and constructive.

I understand that … somewhere there has to be a way to authenticate a device and keep a token/identifier of some soft to keep being able to connect to the mail server and refresh email automatically.
The device needs to keep something…

Previously, that was to keep the username and password on the device. This has been replaced by method that will still keep those token/identifier, but can provide a stronger authentication or is unique to the device. So some example

oAuth 2.0
oAuth 2.0 provided by gmail, office 365, yahoo etc will allow a user to authenticate on the provider with their user&password, any any other 2FA method, being totp, yubikey, u2f, fido2/webauth or passkey. The device will then keep a secret identifiant to maintain the connection. Here by requiring a security key to connect, the connection is more secure and trustworthy than just having a user&pass combinaison. It is more trustworthy because of that totp interactivity or the fido2 hardware token that can’t be faked.
Devices control / which device has access
Devices are authenticated individually and have each an individual token to refresh emails. This feature also allow to view which device are connected to an account. In the provided admin pages, you can see which device are connected, since when, last connection and disable a specific device, in case you lost it or something.
Permission management
When connecting a third party application, the user will also need to consent to give the third party app access to various right, read email, send email, read calendar. This is way better than giving a username & password to an app to access the imap and pop server, but otherwise any other feature of the online account, including billing (name, address), account deletion or other.
Basically it provide the AAA Authentication, Authorization and Accounting

Before oAuth 2.0, email provided offered application password, for those app that were not using the latest protocols to connect to the provider.

  • It could not provide 2FA or otherwize, but allowed to have super strong password of 50 characters or more for each app.
  • It provided individual access and a way to revoke a specific device, by revoking a specific password
  • provided some soft of permission management / restriction by providing a different password for just a specific service like imap and pop3, that prevent access to other feature of the online account like billing, deletion.

From what I understand, only the big provider offer oAuth2.0, no other email provider offer it and not all mail application support it. That’s disapointing, as other2 features are nice.

And now I’m looking at other provider like mailbox dot org, and from what I can understand from reading this forum

  • no application password. There is the imap password shared across all devices and the account password for webmail+2fa
  • device control : haven’t create an account, but since all device share the same password, probably not implemented
  • at least a separation between email and control with their single imap password.

From my point of view, regardless of the privacy policy, their authentication security is much more worst that the big company. I wish it was better. I do have multiple devices where I would like to connect and it’d be nice to have a better way that 1 password saved in multiple devices…
I fee like I have the choice between the “no privacy but good security”, “full privacy and security, but no compability (proton, tuna)”, “privacy but meh security”.

But perhaps there is something that I am missing, maybe I misunderstand some concept or perhaps I am too critical ?

Or are some people more knowledgeable than me on the various privacy offering that could recomment diffent provider that provide a little more that mailbox listed in privadyguide list?

I said yubikey proprietary to differenciate between their two offering.
Yubikey offer “YubiKey 5 Series” as well as their “Security Key Series”. YubiKey 5 Series is multi-protocol and support otp,smartcard,pgp and other as well as all the fido2, while the security key only support u2f/fido2/webauth/passkey.
In their documentation, mailbox say "These YubiKeys are authenticated against a YubiKey server that we operate in our data center. " So these are for the the yubikey 5 series and not for the yubikey security key. / u2f/fido2 :slight_smile: Let me know if this is more clear.

skiff, I might be mistaken. I checked 10 provider and could not find documentation with little time if it supported 2fa without creating account. Most website clearly mention it in their documetation/suport site.

My initial post may not be the best, I was looking for something better than just that 1 main password for all your devices. I’ve written some example for oAuth 2 and multiple password above.

ironically, the reason given here for not being able to implement oauth is that proton uses gpg, which IMAP/SMTP don’t handle, so the lack of oauth here is actually because of protonmail’s security/encryption. guessing it is similar with the others.

would love to see if anyone that knows more about how web authentication protocols compare in security might chime in.

but I also just kind of can’t make sense of what you’re saying. not using oauth doesn’t mean they are using plain SMTP Auth, which is what it seems like you’re saying? there are other ways to get unique tokens for authentication. (edited typos and removed jwt mention since it’s not a protocol)

proton solution already authenticate their android client using 2fa, provide session management to disable specific client and see security logs, so basically that solution is already ok. I guess tuta is the same. The issue is that you cannot use any other mobile mail application other than their official. Using failemail or k8 is not possible. Not interested in On desktop there is the bridge, but not on mobile.
It’s more about other provider. I’d like to be able to use other clients… Tuta have desktop apps, but probably only for tuta account. Proton provide good security, and provide the bridge on windows to use thunderbird, but force their mobile app. Other provider are fully compatible with all desktop and mobile client, but the security is less strong. Sry I guess I’m looking for a unicorn. I’ll try tuta to see if the mobile client is better and i’ll see that I do.

So what would be the ideal for you? Being able to use a private email provider that accepts security keys or passkeys and you can use any app to authenticate?

The primary issue in adopting better authentication methods is the lack of OIDC Dynamic Client Registration implementations on both the server and client side. This means that the best non-proprietary implementations can do are static app passwords.

Web interfaces should not have such obstacles and there are many that support Webauthn but few providers prioritize very strict privacy.

There seem to be several remaining issues with passkeys ranging from poor consumer understanding to lack of corporate IT readiness to support them.