Is 2-Step Verification actually usable?

[tomscii]

Describe the bug Setup dialog

The user opens Settings and clicks on Security -> Configure 2-Step Verification. The resulting dialog has usability issues that are serious enough to throw off non-technical users and render this feature virtually unusable (as in, cannot promote it to a group of less geeky users).

• There is no clear visual indication of the flow the user must follow: first, make a shot of the QR code with their 2FA app; then, click the link 'test' and only then will they be able to tick the "Enable 2-Step verification" checkbox. The layout is confusing to anyone not already familiar with such a setup, not the least because the final Enable checkbox is the very first thing (upper left corner).

• When the user figures out that they need to click on the 'test' link and enter a time-based code from their mobile, the button "Test" turns green... and this sub-dialog on top must be closed with a separate click. The dialog should disappear on a successful test (and the user would ideally be guided to save their backup codes and finally enable 2-Step verification).

• The backup codes cannot be copy-pasted from the text area. I had to open the browser's Web tools, locate the textbox in the Inspector, and copy the content from the DOM tree. Definitely not a step for an average user.

• A button to download the backup codes as a TXT file would be nice (even in the absence of the above issue).

• There are 9 backup codes shown... why? It looks really odd and incomplete in the dual column text area. Why not 10?

• I also think that the user should be able to view his backup codes any time he wishes, i.e., the current behaviour of showing the codes on setup but not on later opening this same dialog is confusing, and does not add anything to security. The user should be able to save his (so far unused) backup codes any time, without having to click "Clear" and going through the whole setup process again.

Login with 2FA Now on to actually logging in with 2-Step verification. I can use the time-based code supplied by my TOTP app and it lets me in. A wrong code will not let me in (a popup mentioning "2-Step Verification failure" gives adequate feedback).

However, I cannot seem to use my backup codes. There is no bespoke place to enter them (or a way to state that I cannot generate a one-time code and want to use a backup code). If I just enter one of my backup codes as a Verification Code, I get a popup saying "Unknown error".

Expected behavior This is more of a general exploration of a closely related set of issues (some minor, others major), so the expected behaviour is not exactly clear-cut. However, there is a lot of prior art out there; I have 2FA enabled on lots of accounts and none was as obnoxious as this one. I think GitHub in particular has a very nice implementation.

Desktop (please complete the following information):

• Browser: Firefox 78.9.0esr
• SnappyMail Version: 2.5.0-rc2

Additional context I have not tested RainLoop with this, so it might be that this is something that has "always" been broken.

[tomscii]

A little update here, as I just had a few minutes to test this with latest RainLoop Community Edition.

Differences:

• I could seamlessly select and copy the backup codes from the 2FA setup window, no issues at all.
• On login, RainLoop will accept a backup code in place of a Verification Code.

What is even better, RainLoop will not accept the same backup code a second time (but will accept a different one). This is something I could not test with SnappyMail. In all, from a technical perspective, RainLoop's 2FA seems to work fine.

The rest of the issues (mostly around the usability of the setup dialog) are the same, but the above clearly seem like regressions in SnappyMail.

Again, this is not super important or urgent to me personally, rather I am raising the issue for your awareness.

And as always, thank you for your dedication and work spent on SnappyMail, I really appreciate all of it!

[the-djmaze]

Actually i was thinking to remove the whole 2FA. It's "fake security" when IMAP/SMTP ports are still remotely accessible.

Let met explain:

1. I know your password (by login attempts)
2. RainLoop shows 2FA so i can't login
3. I use IMAP/POP3 to login (which has no 2FA)
4. I use SMTP to send e-mail in your name (which has no 2FA)

[ervee]

I thought exactly the same! Still I use MFA on RainLoop. But what if the IMAP/SMTP(auth) server are exposed externally?

[tomscii]

True. And I completely understand (and principally agree with) your argument. But still, 2FA seems to be a feature in popular demand when it comes to accessing mail through the browser. Certain systems might be set up so that they restrict (or eliminate) access to imap/smtp, only offering webmail through the public internet (maybe they do offer imap/smtp from the inside network of the org). That would be a usecase where 2FA would have its merit.

As a sysadmin, I would never make it mandatory for all users (since, at least in a more generic usecase, one can argue that it's a false sense of additional security), but certain users will want to be able to enable it for themselves, so it would be nice if the option could be provided in a usable form.

[the-djmaze]

I will remove if for now, as it is currently a false sense of security. I will make a plugin for it (just like i did by moving change-password out of the core).

[the-djmaze]

Somehow removing the 2fa and revamp of languages made SnappyMail 0.2-0.4s faster.

Will make a 2fa plugin :wink:

What if the IMAP/SMTP(auth)cis not exposed externally?

Then MFA is great.

[ervee]

A plugin would be great! And what I also always missed in RainLoop wat 2FA/MFA on the ADMIN page :)

[the-djmaze]

@ervee i've added the 2FA TOTP to the admin login page. application.ini: admin_totp = ''

[the-djmaze]

This plugin will be available when 2.5.4 is released

[ervee]

@ervee i've added the 2FA TOTP to the admin login page. application.ini: admin_totp = ''

I was a bit lost on what to enter behind admin_totp :) I'm not sure if this is what you envisioned, but after enabling the 2FA plugin I logged in as regular user, went to settings > 2 Step... Then clicked "Activate", used the Secret to setup a manual 2FA for "SnappyMail Admin" (in my andOTP App), did a test, then clicked "Clear" (because I want a separate 2FA code for my admin). The Secret is what I also used in the admin_totp setting in application.ini and this works. I now have to use the code from my App to login to the admin panel, nice!

Of course you can also use the same Secret for your regular user and use it for admin_totp. Even if the 2-Step was already setup. At least in andOTP you can edit an entry and see the Secret. Just copy or share it from there.

[the-djmaze]

@ervee you don't need the 2FA plugin for admin account. Just drop a base32 string in the admin_totp = '' and use that base32 string in your andOTP client ;)

The plugin is only for users.

[ervee]

Okay. Is so just use some arbitrary string of [A-Z] and [0-9], say JG1UWKK6AUFJEBT99OALFHJE8J , put it in application.ini and my OTP App and this will also work? Will give that a try later when I can.

[the-djmaze]

so just use some arbitrary string of [A-Z] and [0-9]

Almost, Base32 has [2-7] NOT [0-9] Base32 was chosen for easy reading, typing 0 or O makes a difference ;)

[leofontenelle]

I will remove if for now, as it is currently a false sense of security. I will make a plugin for it (just like i did by moving change-password out of the core).

Thanks for SnappyMail in general and this attention to security in particular.

Maybe app-specific passwords would solve the lack of 2FA outside webmail?

https://www.fastmail.help/hc/en-us/articles/360058752854-App-passwords

(I'm only a user, so forgive me if this is obvious.)