3

I can check my office webmail through https://webmail.example.com. When my username and password match a 5 digit SMS is sent to my phone that has to be entered on the website as well. This way my phone is the second factor.

However, on my mobile phone or on any tablet I can also configure an 'Exchange' e-mail account. This way I only need a username and the password during initial configuration. There is never the need for a second factor.
I believe this is possible because 'Outlook Anywhere' is enabled on the Exchange server.

I wonder whether the SMS second factor really adds security: anyone who intercepted my username/ password can simply configure an Exchange e-mail account on their own phone and will never be asked for an SMS-code?

Jeff
  • 3,599
  • 4
  • 17
  • 23
  • 1
    Can the attacker still change the password whithout acces to the 2FA-Token? – VincBreaker May 29 '17 at 20:13
  • Are there no additional checks when you try to enable Exchange / Outlook, i.e. could you set this up on any device that supports exchange? (no certificates, mac address restrictions, etc) If not than you are correct: adding 2FA to the webmail adds little security if you can connect via an exchange supported mail client without using 2FA. – user3244085 May 29 '17 at 20:22
  • When you say "the password", do you mean the same one you set up for the account, or a new one (usually machine generated and quite longer)? – ndrix May 31 '17 at 00:42
  • It is just my regular username/password that I also use to login the domain. – Jeff May 31 '17 at 17:46

2 Answers2

0

The app based passwords used only allow certain types of connections. Yes they could access your email if it was compromised, but you should only be using it over a secure channel (Such as imap with ssl) so it's not likely - unless your endpoint is compromised, but then you have bigger issues.

App based passwords do not tend to allow logging into web mail and account management. This means an attacker cannot make account level changes such as password changes.

ISMSDEV
  • 3,272
  • 12
  • 22
  • I do not understand what you are trying to say. What is an 'app based password' in the context of my question? – Jeff May 30 '17 at 17:36
  • I guess what is meant is that that email clients like the ones on your tablet and and mobile phone can be configured to use a password ('app based password') which is different from the one you use when logging in via a web browser. When an attacker gets an app based password, he can only do what the app can do - which is probably only receiving emails? In this case, if the attacker wanted to change your password the app based password would be of no use: he would need to log in via the browser for which 2fa still is required and adds security in this regard. – efie Jan 07 '19 at 12:01
0

It looks like the the mail admin stopped in the half of the way. You are right on one point: if one single access only needs user + password, the global security level of the mail server is user-password, even if there are other more secure accesses like a 2FA webmail.

The only case where the 2FA webmail would improve the global security would be if the webmail 2FA password was different than the direct exchange password.

But this can happen in organizations when a VIP insists on being able to read his corporate mail on his smartphone or tablet without being bored by your sec. @&! like 2FA... Even a security aware admin can hardly say no to his boss!

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
  • Regarding your second paragraph: You don't say how this would prove security. Can you elaborate on this? – efie Jan 07 '19 at 11:47