Access > Administrators: finding 2FA/passkey config a bit confusing

ralfbergs

Hi all.

I find the UI to configure 2FA or passkeys for administrators pretty confusing in total.

I have an admin user configured who got both several WebAuthN instances as a second factor (as well as several passkeys registered for “Login with Fido2”, which doesn’t matter for 2FA).

Still, there is no checkmark in the TFA column in the table where all existing administrators are shown for that respective administrator. Seems like a bug?

Then, I find it strange that I can’t completely remove passwords at all. IMHO it would be the safest to authenticate with passkeys only and not allow passwords. This doesn’t seem to be possible, or am I missing how to do it?

And the most confusing thing is when trying to log in to an administrator account which got WebAuthN as a second factor as well as passkeys registered for “Login with Fido2”. I usually need a couple of tries until I get in.

I use different passkeys: two Yubikeys, Firefox on my M2 Mac (which I usually use in a clamshell setup, so I can’t use the fingerprint reader to prove my presence), and passkeys stored on my Pixel 9 Pro, linked via a QR code.

I realize that this is only a very high-level description of the scenario and user experience, but hopefully people can somehow understand and maybe even confirm this sub-optimal user experience.

I’m using webauthn/passkeys wherever it’s possible (literally on many dozens of sites), and the only site where I constantly have issues logging in is mailcow. :-(

I would be very interested in hearing your experience and your view. Many thanks ahead.

esackbauer

ralfbergs I find it strange that I can’t completely remove passwords at all.

That is how everything works today, passwords are still all around. Not everyone is firm in using passkeys.
With password managers the risk is not much higher than using passkeys, as they would not fill a form if it is not matching the hostname.

ralfbergs it would be the safest to authenticate with passkeys only and not allow passwords.

Not really, its more depending on your risk exposure, if you are a whistle blower etc.

You can have such login if you put a SSO like keycloak or Authentik in front of mailcow, but for now there is no direct passkey login in mailcow.
And then you must use app passwords to be able to connect client apps. However they must not be stored, you just generate them, enter them in client app, and forget them because you can always create a new one. So leaking/phishing is impossible.

ralfbergs

esackbauer With password managers the risk is not much higher than using passkeys, as they would not fill a form if it is not matching the hostname.

Provided you use one that automatically fills password fields, indeed. With “manual ones” where you are filling passwords yourself via the clipboard, the risk still exists. Also, I would not preclude a slight risk that even automatic password managers can be fooled with sophisticated attacks.

esackbauer And then you must use app passwords to be able to connect client apps.

IIRC, I can connect a Google account to Thunderbird w/ OAuth2 and passkeys, can’t I? Wouldn’t that be the perfect combination?

Any comments about the UI/UX in mailcow?