0

Theoretically? (If no, why? And if yes, why hasn't it been done?)

user664833
  • 101
  • How would this work ? Every time my mail client goes to check for new mail, I have to enter a OTP? – mti2935 Apr 19 '20 at 19:09
  • @mti2935: IMAP typically keeps the connection open and even gets informed if there are new mails (i.e. push instead of pull). Also, similar to how web based applications don't require a full login all the time but instead maintain a session this could be done within IMAP too. – Steffen Ullrich Apr 19 '20 at 19:56
  • Does this answer you? https://security.stackexchange.com/questions/173807/does-imap-pop3-asp-undermine-two-factor-auth – schroeder Apr 19 '20 at 22:26

1 Answers1

2

Could IMAP authentication be adapted to support 2FA?

IMAP can support multiple authentication methods, i.e. the protocol is extensible.

... why hasn't it been done

It has been done. Modern clients like Thunderbird support XOAUTH2 which basically uses a web client with OAuth2 which then can do all the normal things OAuth2 can do including 2FA.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Thanks for your answer, but my naivety is confusing me: on one hand you're saying that it has been done, but on the other you immediately mention the client side. I am wondering about server-side 2FA support for IMAP. Could you provide any relevant links? – user664833 Apr 19 '20 at 20:31
  • @user664833: Google and probably others support 2FA with IMAP using the XAUTH2 authentication method - so there is obviously support on the server side at least with some server implementations. But I focused on the client side since there is where the login credentials must be provided. See [here](https://developers.google.com/gmail/imap/xoauth2-protocol) for a description of how XAUTH2 works. – Steffen Ullrich Apr 19 '20 at 20:37