Webdav 2FA create separate passcodes

Hi

Enabling webdav does compromise the 2FA enabled accounts because there are all files accessible without the second challenge… for example in Zimbra this
problem is solved with the possibility to create for every application that is not supporting 2fa a passcode… with this possibility I have a separate passcode for every connected device or program.

2019-09-04-07-59

Do you create these ApplicationCodes in Zimbra ?

Yes for IMAP access from the Iphone for example

This is really needed.

Supporting 2FA while not supporting app passwords is a serious problem.
That feature would be highly appreciated.

cool…so it means bonding to device and each device has its own code?
my understanding is correct?

Maybe not bonding to devices but to use cases:

  • User wants to login use case:
    2FA is great because the user can use a one-time password for improved security.
  • Application A wants to login use case:
    App A cannot store credentials and have to give 2FA token at each logins. 2FA is impractical.
  • Application B wants to login use case:
    App B may have more than 30s between the moment the user can input the 2FA token and the token is sent. The token has expired. 2FA is unusable.

I find separate device passwords unpractical.

Best way is a password + 2fa for any login.

At least from a users standpoint.

And how would you deal with webdav connections to seafle? I think there is no 2fa at the moment…

@mulmer app passwords are not meant to replace user’s password/2fa logins, The purpose of app passwords is to allow users to authenticate when 2fa is impossible/impractical to use. It’s an alternative to 2fa.

Is this being considered at all? WebDAV may be ancient but it’s such a standard, I find greatly useful to have for various integrations but we can’t deny it’s a major security hole without some sort of passcode functionality.

1 Like

I would be interested as well :slight_smile:

I was not able to connect to WebDAV as a user with 2FA. So I guess it is protected. Would it be possible to have a WebDAV directory that is not protected by 2FA so apps can use that sub-direcotry? At the moment I created another user without 2FA to provide WebDAV but that is far from ideal.

1 Like