Don't get phished! Says Sonic Support, but no MFA on email?

General discussions and other topics.
13 posts Page 1 of 2
by abrinton » Tue Sep 21, 2021 9:29 am
I'm a long time (20 year) Sonic customer. I was surprised (and saddened) to get the "Don't get phished" email the other day from Sonic. It was a stark reminder of the total failure to implement modern authentication on the email system.

It's 2021 for goodness sake. Gmail has had MFA on email for 10 years. All the major providers have MFA.

It is EXTREMELY well documented that bad actors breach email accounts and use the account to reset passwords on other accounts, like banks, credit cards, etc. They use email accounts to phish other contacts. They use it for all kinds of bad stuff. I don't want to lose my accounts tied to Sonic because of this.

I contacted support again about this when I got the "Don't get phished" email and got this reply this morning:
"We do not currently have MFA for sonic email as of yet. One of the difficulties with implementing that is most people use email clients which access the server automatically to update mail. We would have to implement a procedure to restrict that to manual instances in order to implement MFA. As such it isnt easily practical to implement widely. I will pass on your feedback to our team though."..."I would also recommend commenting on the forum regarding this implementation. Our system admins keep an eye on it. I believe there is also a recent thread with regards to this issue."

I know these projects aren't easy, and may cause some inconvenience. However, the inconvenience and risks of having your email account breached is greater, and has been for a long time. Password auth is not viable in this day and age.

I'm glad the SysAdmins read the boards, I hope also the Security team and Dane read it also and can muster the organizational will to fix this issue.

Here's a couple other threads about this, I didn't look very hard and I'm sure there's more...
viewtopic.php?f=5&t=14516
viewtopic.php?f=10&t=16619

Adrian
by ngufra » Wed Sep 22, 2021 8:32 am
I don't see how supporting MFA would prevent someone from sending you an email.
by igorru » Wed Sep 22, 2021 12:03 pm
It would not, but here is the scenario that Adrian is worried about:

1. An attacker sends a phishing email to @sonic.net email address
2. Victim opens that email and inadvertently follows the link thinking it is legit
3. As a result of a successful phishing attack the attacker gains access to that e-mail account
4. Attacker then goes to the Any Bank website where the victim has a bank account
5. While trying to login into the victim's bank account, the banking system sends a password reset e-mail to the victim's @sonic.net email address
6. Attacker, who has access to the victim's e-mail, reads it and resets the victim's banking account password

MFA on the e-mail system would prevent the attacker from gaining access to the email account even if they managed to trick the victim to disclose the login and password.
by ngufra » Wed Sep 22, 2021 2:10 pm
Sonic provides internet access and email accounts, but I don't think it's their role to provide this kind of feature (2FA on email)
I don't personally use Sonic's email. I don't think email should be tied to one's current internet access provider. I use my own domain and host my mail server elsewhere.

Next, people are going to ask sonic to rewrite the emails to wrap all the email links.
by igorru » Wed Sep 22, 2021 3:08 pm
I'm not in disagreement with you. I also do not use Sonic's email. Whatever comes to that address is getting forwarded and I do not use that address for any third-party services. That said, not everyone is an advanced user like us.

Implementing MFA on an e-mail service is a pretty big ask since it involves multiple connection protocols with vastly different implementations, but it can be done. Let's just leave it up to Sonic to decide when or even if they can do it.
by kgc » Wed Sep 22, 2021 3:29 pm
TLDR; Supporting application specific passwords and associated user preferences is on our road map. I don't have an estimate for when it will be available at this time.

MFA for Email (SMTP, POP3 & IMAP) is complicated and isn't, practically speaking, widely used or supported by anyone that I'm aware of. Since the protocols and clients either don't support or don't widely support secondary authentication methods MFA requires doing things like concatenating the password and MFA token and providing that as the password. That may have some limited applications but is a non starter in most circumstances. What you do see, however, is application specific passwords or tokenized authentication that allows clients to be configured without the primary username and/or password. Application specific passwords should be able to be limited to specific protocols and additionally the option to require them should be available to the user.

The above, of course, does not apply to web based email services which are not bound by the constraints of the underlying protocols and have the ability to store cookies and session data that make MFA simple and straight forward to use.
Kelsey Cummings
System Architect, Sonic.net, Inc.
by igorru » Wed Sep 22, 2021 4:24 pm
kgc wrote:
TLDR; Supporting application specific passwords and associated user preferences is on our road map. I don't have an estimate for when it will be available at this time.

MFA for Email (SMTP, POP3 & IMAP) is complicated and isn't, practically speaking, widely used or supported by anyone that I'm aware of.


Works with GMail for example. POP, IMAP, SMTP, and web
by kgc » Wed Sep 22, 2021 4:36 pm
igorru wrote:
kgc wrote:
TLDR; Supporting application specific passwords and associated user preferences is on our road map. I don't have an estimate for when it will be available at this time.

MFA for Email (SMTP, POP3 & IMAP) is complicated and isn't, practically speaking, widely used or supported by anyone that I'm aware of.


Works with GMail for example. POP, IMAP, SMTP, and web


Can you point out the documentation for it? All I see are instructions on how to use application passwords.
Kelsey Cummings
System Architect, Sonic.net, Inc.
by igorru » Wed Sep 22, 2021 4:52 pm
Don't know of any documentation specifically, but I have 2FA enabled on my account, and when I set up Thunderbird to access my mail with IMAP using my usual login info it popped up a login confirmation on my phone. Once I confirmed it Thunderbird was able to proceed and start downloading mail.
by igorru » Wed Sep 22, 2021 5:06 pm
I just looked in to it some more. I see that it works with Thunderbird this way because it supports OAuth.
13 posts Page 1 of 2

Who is online

In total there are 11 users online :: 2 registered, 0 hidden and 9 guests (based on users active over the past 5 minutes)
Most users ever online was 999 on Mon May 10, 2021 1:02 am

Users browsing this forum: Bing [Bot], Google [Bot] and 9 guests