Dear Team,
I think in today's advance world of IT and its Growth.
2 Factor Authentication is required for the webmail access after the password to prevent hacking and other issues which users mostly face from their hosting accounts within the shared hosting space and in other solutions.
I will highly appreciate if 2FA (2 Factor Authentication) is implemented on the webmail as well as it is possible on the cPanel.
Thanks,
Umer Khokharwww.247workinghost.com
I like this idea 
Update - this is officially in progress as part of case DUCK-8494. I don't have an official timeline of when that will be in a cPanel version, but the dev work has started!
Update - this is officially in progress as part of case DUCK-8494. I don't have an official timeline of when that will be in a cPanel version, but the dev work has started!
Doesn't POP/IMAP/SMTP also use the same passwords as webmail? That would mean users would need to enter an OTP (where exactly?) every time they try to send/read mail using other email clients which have no concept of 2FA. Or am I understanding your concept wrong?
Doesn't POP/IMAP/SMTP also use the same passwords as webmail? That would mean users would need to enter an OTP (where exactly?) every time they try to send/read mail using other email clients which have no concept of 2FA. Or am I understanding your concept wrong?
If we added 2FA to the Webmail interface we would be taking mail applications (especially across so many devices) into consideration when implementing the feature. I can think of a couple other providers have around it, but ultimately it would be up to the feature team that implements the change to decide how we go about it.
If we added 2FA to the Webmail interface we would be taking mail applications (especially across so many devices) into consideration when implementing the feature. I can think of a couple other providers have around it, but ultimately it would be up to the feature team that implements the change to decide how we go about it.
How about using something like Google's reCaptcha API
How about using something like Google's reCaptcha API
It is very much needed feature for webmail, it will defenetly reduce attacks on the server
It is very much needed feature for webmail, it will defenetly reduce attacks on the server
Google does ist by using App Passwords, that are assigned to specific programs like Thunderbird, Outlook, etc.
https://support.google.com/mail/answer/185833?hl=en&visit_id=636828031466693350-3030637748&rd=1
I think, this is a very good solution. And we really do need 2-Factor-Authentication for webmail!
Google does ist by using App Passwords, that are assigned to specific programs like Thunderbird, Outlook, etc.
https://support.google.com/mail/answer/185833?hl=en&visit_id=636828031466693350-3030637748&rd=1
I think, this is a very good solution. And we really do need 2-Factor-Authentication for webmail!
We can have 2FA on webmail for another reason. Someone can access Forwarders and Filters and intercept communications. We've seen happening it a lot of times. We clean up 10+ forwarders from users around cPanel servers every month. We could ask those high risk users to use 2FA only for webmail and cPanel. They can use normal login for e-mail clients like Outlook or Thunderbird but we can somehow secure the Filters and Forwarders of the accounts with this.
We can have 2FA on webmail for another reason. Someone can access Forwarders and Filters and intercept communications. We've seen happening it a lot of times. We clean up 10+ forwarders from users around cPanel servers every month. We could ask those high risk users to use 2FA only for webmail and cPanel. They can use normal login for e-mail clients like Outlook or Thunderbird but we can somehow secure the Filters and Forwarders of the accounts with this.
How is it that 2FA hasn't been able to be addressed at the webmail level but exists at every other web interface (WHM/cPanel)?
2FA is something that is easily implementable via roundcubemail. I've had this implemented on one of my servers for years and it hasn't interfered with POP/IMAP/SMTP access. The added verification is only implemented at the webmail level.
https://plugins.roundcube.net/packages/alexandregz/twofactor_gauthenticator
How is it that 2FA hasn't been able to be addressed at the webmail level but exists at every other web interface (WHM/cPanel)?
2FA is something that is easily implementable via roundcubemail. I've had this implemented on one of my servers for years and it hasn't interfered with POP/IMAP/SMTP access. The added verification is only implemented at the webmail level.
https://plugins.roundcube.net/packages/alexandregz/twofactor_gauthenticator
This is a must! There are many things to protect in webmail, like filters, redirects etc..
This is a must! There are many things to protect in webmail, like filters, redirects etc..
In roundcube there can be plugins.
I see there is a (recent) plugin for
mmvi/twofactor_webauthn
https://packagist.org/packages/mmvi/twofactor_webauthn
Installing plugins in RoundCube don't seems to be very difficult as it is done via composer
https://packagist.org/packages/mmvi/twofactor_webauthn
Is there a problem if we install such (or other) plugin on CPANEL roundcube.
OK, I suppose it will be overwritten when CPANEL apply updates, but there must be a post-update hook, that could trigger a re-install script for the plugins.
Or do I oversee some problems ?
Best regards, Marc
In roundcube there can be plugins.
I see there is a (recent) plugin for
mmvi/twofactor_webauthn
https://packagist.org/packages/mmvi/twofactor_webauthn
Installing plugins in RoundCube don't seems to be very difficult as it is done via composer
https://packagist.org/packages/mmvi/twofactor_webauthn
Is there a problem if we install such (or other) plugin on CPANEL roundcube.
OK, I suppose it will be overwritten when CPANEL apply updates, but there must be a post-update hook, that could trigger a re-install script for the plugins.
Or do I oversee some problems ?
Best regards, Marc
Any updates?
Any updates?
Any update? More and more clients have problems, some getting scammed and have tens of thousand euro in loses. It's nearly inacceptable to not have 2FA on a critical system like the webmail and not even the possibility to block access to forwarders and filters from that interface... This is a HUGE problem!
Any update? More and more clients have problems, some getting scammed and have tens of thousand euro in loses. It's nearly inacceptable to not have 2FA on a critical system like the webmail and not even the possibility to block access to forwarders and filters from that interface... This is a HUGE problem!
A little background:
It needs to be noted that despite the popularity of typical mobile phone SMS 2FAs (used by social media and banks etc.) that this is NOT TRUE TWO FACTOR AUTHENTICATION and only gives an illusion of security to an ignorant public.
For Webmail to have PROPER 2FA then they would need a set of unique changing random codes that are generated on a remote device given to the webmail user (typically unique key cards). This is something that is FAR BEYOND what any free webmail provider can realistically provide and is far out of scope of email security (it would be better to implement PGP Mail into email which is far easier to deploy).
2FA using SMS messages is deeply unsafe and worryingly common. SMS can be easily intercepted by a 3rd party as they are completely insecured and most people accessing their webmail are already doing so from a mobile device.
2FA can be pseudo-done (as WHM have already) with 3rd party apps that provide a code with a time based expiry, but this is still not quite true 2FA because the app is on the mobile device so would not be 2FA if the webmail (or WHM) is accessed from that same device.
Securing connection to emails done but using the common 2FA methods (apps/SMS) is not the way to do it, using something like SSH keys or 3rd party key cards is a better approach but then comes to some serious shortfalls that it requires some technical knowledge from the end user as well as logistical overheads and also limits access by any parent account holder (such as WHM root user accessing a CPanel email account).
A little background:
It needs to be noted that despite the popularity of typical mobile phone SMS 2FAs (used by social media and banks etc.) that this is NOT TRUE TWO FACTOR AUTHENTICATION and only gives an illusion of security to an ignorant public.
For Webmail to have PROPER 2FA then they would need a set of unique changing random codes that are generated on a remote device given to the webmail user (typically unique key cards). This is something that is FAR BEYOND what any free webmail provider can realistically provide and is far out of scope of email security (it would be better to implement PGP Mail into email which is far easier to deploy).
2FA using SMS messages is deeply unsafe and worryingly common. SMS can be easily intercepted by a 3rd party as they are completely insecured and most people accessing their webmail are already doing so from a mobile device.
2FA can be pseudo-done (as WHM have already) with 3rd party apps that provide a code with a time based expiry, but this is still not quite true 2FA because the app is on the mobile device so would not be 2FA if the webmail (or WHM) is accessed from that same device.
Securing connection to emails done but using the common 2FA methods (apps/SMS) is not the way to do it, using something like SSH keys or 3rd party key cards is a better approach but then comes to some serious shortfalls that it requires some technical knowledge from the end user as well as logistical overheads and also limits access by any parent account holder (such as WHM root user accessing a CPanel email account).
This really shouldn't be hard to implement....when someone tries to access imap, smtp, webmail, or anything that connects to the email server, if they are not already authenticated for that device/session then a text is sent to their phone (or an app for their phone can open) asking them if they authorized the access. They respond yes and then the system allows traffic to that device to either that session or a period of time. Then it doesn't matter if the computer has a program like outlook, or if the customer is connecting with a webmail client..or which webmail client.
This really shouldn't be hard to implement....when someone tries to access imap, smtp, webmail, or anything that connects to the email server, if they are not already authenticated for that device/session then a text is sent to their phone (or an app for their phone can open) asking them if they authorized the access. They respond yes and then the system allows traffic to that device to either that session or a period of time. Then it doesn't matter if the computer has a program like outlook, or if the customer is connecting with a webmail client..or which webmail client.
I'd like to point out that "Do all your employees require two-factor authentication to access their email?" is now turning up in external security audits. We had a client who required it of us in order to supply services. No amount of arguing that it's less secure or invalid is going to beat a standardised ISO/PCI/SSAE/ISAE/SOC (whatever takes your fancy) security assessment.
I'd like to point out that "Do all your employees require two-factor authentication to access their email?" is now turning up in external security audits. We had a client who required it of us in order to supply services. No amount of arguing that it's less secure or invalid is going to beat a standardised ISO/PCI/SSAE/ISAE/SOC (whatever takes your fancy) security assessment.
Roundcube has 2FA plugins, IMHO it would be a good "first step" to enable the 2FA for just RC.
Roundcube has 2FA plugins, IMHO it would be a good "first step" to enable the 2FA for just RC.
We recently lost a customer who moved away from our services because he was legally required to use 2FA for his e-mail.
It seems that recent Dovecot versions have Oauth2 support and e-mail clients like Thunderbird support this authentication method too.
We recently lost a customer who moved away from our services because he was legally required to use 2FA for his e-mail.
It seems that recent Dovecot versions have Oauth2 support and e-mail clients like Thunderbird support this authentication method too.
Isn't this a duplicate of this?
Isn't this a duplicate of this?
following :)
following :)
Hello,
With the advancement of technology, the accessibility of it towards tech illiterate people, a 2FA for webmail is a must in todays day and age. It can be an on off feature and doesn't it need to be implemented to work with third party tools like Outlook or Thunderbird.
Hello,
With the advancement of technology, the accessibility of it towards tech illiterate people, a 2FA for webmail is a must in todays day and age. It can be an on off feature and doesn't it need to be implemented to work with third party tools like Outlook or Thunderbird.
This is imprescindible on 2023. When will arrive any news?
This is imprescindible on 2023. When will arrive any news?
No hard feelings he, but 6 pathetic years later with phishing everywhere, this webmail 2FA treat will solve itself : we will have no email users anymore once everybody will have gone to google and microsoft, and we will still be stuck with basic roudcube while google and microsoft has 2FA with apps and hardware keys and collaboration tools.
Is (mail)hosting on dedicated servers doomed to death, and is that the reason no development effort is put on this ?
No hard feelings he, but 6 pathetic years later with phishing everywhere, this webmail 2FA treat will solve itself : we will have no email users anymore once everybody will have gone to google and microsoft, and we will still be stuck with basic roudcube while google and microsoft has 2FA with apps and hardware keys and collaboration tools.
Is (mail)hosting on dedicated servers doomed to death, and is that the reason no development effort is put on this ?
Webmail it is only first step.
How to others solved FA2 for imap/pop3/smtp:
1. 2FA is possible to enable for every mailbox separately
2. in webmail - there is no problem with 2FA
3. when connection is set to account with 2FA set to on, user receives special LINK (with secret hash) to click and on the website he decides for how long his IP address will NOT requred 2FA (1h, 2h, 4h, 8h, 24h). And hist IP will be addedd to "whitelist" to be possible to connect using Outlook/Thunderbird/TheBat without 2FA.
It is very simple, but then 2FA works also for mailclients (mailclients like Thinderbird don't offer 2FA)
Webmail it is only first step.
How to others solved FA2 for imap/pop3/smtp:
1. 2FA is possible to enable for every mailbox separately
2. in webmail - there is no problem with 2FA
3. when connection is set to account with 2FA set to on, user receives special LINK (with secret hash) to click and on the website he decides for how long his IP address will NOT requred 2FA (1h, 2h, 4h, 8h, 24h). And hist IP will be addedd to "whitelist" to be possible to connect using Outlook/Thunderbird/TheBat without 2FA.
It is very simple, but then 2FA works also for mailclients (mailclients like Thinderbird don't offer 2FA)
While there, maybe add Passkey support too.
While there, maybe add Passkey support too.
Any update ?
Any update ?
So is this idea completed and will be served on next updates?
So is this idea completed and will be served on next updates?
Replies have been locked on this page!