Re: [Evolution] unable to save read port

[Pete Biggs <pete biggs org uk>]

On Mon, 2022-07-04 at 11:10 +0200, Jaroslaw Rafa via evolution-list
wrote:
> Dnia  4.07.2022 o godz. 10:04:49 Pete Biggs pisze:
> > By far the most prevalent form of email "hacking" is phishing. Both App
> > Passwords and OAuth2 (and also MFA) dissociate your password from being
> > the only thing necessary to gain access to your email.  In that way,
> > they are a significant increase in overall mail security.
>
> But if you don't have MFA configured (and I assume the OP did not have,
> since if you had MFA you won't be able to login to IMAP via password only
> anyway) and someone knows your password, he can login to your email anyway
> using the web interface.

But that's the point.  He couldn't login using his password, Yahoo
requires an App Password or OAuth2 if you are using IMAP. Both methods
need you to login via the web, which allows them to control the
security rather than relying on a less secure IMAP connection.

> So what advantage in terms of security does disabling a password login via
> IMAP give if someone can still login using the same password via the web
> interface?

Because there are things happening when you login via the web that are
not obvious - things like browser identity, cookies, two stage login
etc. etc. They all have to be correct for you to login with just a
password. If they aren't, then it will ask for the extra factor. These
are things that can't be done for an IMAP connection.

But this is now way, way, of topic for this list.

P.