Secure an email account

[BornDeranged]

Hello everybody,

since an email account is still critical as an identity "provider" for many services, I feel that it should also be secured by 2FA. In my specific case, I use a personal domain, and access to the DNS configuration is indeed via a web page that is secured with a 2FA. OTOH, my email provider only supports 2FA for web access, but not for IMAP and SMTP since those protocols have no specific 2FA integration. They could have done the same as they did for the web page, i.e. concatenating password and a token, but they don't. So there's not much I can do except having a rather lengthy password.

So what is the best practice in this area? I can think of using a service that uses a proprietary service rather than the standard protocols (such as Microsoft or Protonmail do), but that sound counter-intuitive to me.

How do you protect your email account?

Regards,

-Patrick

[hyperreality]

So your concern is that IMAP/SMTP only require a single authentication factor? IMO this is less of a concern, since these are passwords you hardly ever use, besides typing in once to a mail provider to configure your mail client. If the password is complex, unique, and encryption is enabled, then there's little potential for that authentication method to be guessed or phished. If the provider is hacked, there's worse things they can do. Perhaps the main threat scenario here is if your computer running the mail client gets silently hacked, and your IMAP password is stolen, allowing an attacker to undetectably siphon your email even after they've been evicted from your system.

Edited November 20, 2022 by hyperreality

[BornDeranged]

12 hours ago, hyperreality said:

So your concern is that IMAP/SMTP only require a single authentication factor? IMO this is less of a concern, since these are passwords you hardly ever use, besides typing in once to a mail provider to configure your mail client. If the password is complex, unique, and encryption is enabled, then there's little potential for that authentication method to be guessed or phished. If the provider is hacked, there's worse things they can do. Perhaps the main threat scenario here is if your computer running the mail client gets silently hacked, and your IMAP password is stolen, allowing an attacker to undetectably siphon your email even after they've been evicted from your system.

Yes exactly. A password is still a static item, which only needs to be leaked once in order for a breach. Any 2FA would add a dynamic item which is missing here.
It strikes me as sub-optimal that my identity would be easier to hack than my user on a random website, since many of those nowadays permit at least TOTP.

[Chauke]

I have seen some Providers that are allowing OTP for 2FA, like Yahoo.
You can use an app like FreeOTP from Redhat.
I did not try to use it with OTP but it looks promising. 

https://play.google.com/store/apps/details?id=org.fedorahosted.freeotp&hl=de&gl=US&pli=1

https://de.hilfe.yahoo.com/kb/SLN5013.html?guccounter=1&guce_referrer=aHR0cHM6Ly9ndWNlLnlhaG9vLmNvbS8&guce_referrer_sig=AQAAAAoAMj6tv269CcBQdXbQQRdCMhlGwChGFmSZ5KQYnx2AJHqHj1B6QrqPMAjFCeYHzsjSDhiF3TLNPjzv9DZs9lye_UNp943FHJu5kwXRRXW6VyFp31W__9MiZg3U9CvTS2Mc0bsWa4ddb866ddX05y5e2y6WvH7ESA86S0mSHmNJ

[MilkshakesBot]

I use a way to long password and then a OTP password to just get into mine. However I try to run all my email through PGP so for 90% of my emails I also have to have the PGP key to decrypt the mail. So even if you got in you wouldn't be able to tell what a message says, just where it came from.