On Sat, Apr 26, 2025 at 7:57 AM Sam Varshavchik mrsam@courier-mta.com wrote:
Jeffrey Walton writes:
One of the most important reasons I use Gmail is because it supports multi-factor authentication (mfa). MFA is great at helping keeping an account secure. Consider, the IETF has never updated SMPT, IMAP or POP to include MFA workflows.
Neither SMTP, or IMAP, or POP3, will ever "include MFA workflows" for the same reason that, say, a recipe for a strawberry shortcake will never include jalapeno peppers: it does not belong there. All three protocols implement SASL, and that's as far as they go, or should go.
A brief search finds several implementations of OTP on top of SASL. There's your MFA for SMTP, IMAP, and POP3. You're welcome.
From RFC 9051, Section 6.2.2. AUTHENTICATE Command, https://datatracker.ietf.org/doc/rfc9051/:
Note that the SASL framework allows for the creation of SASL mechanisms that support 2-factor authentication (2FA); however, none are fully ready to be recommended by this document.
Jeff