On 29/04/2021 13:11, Eric S Fraga wrote: > Dystopian is right. Our organization, using O365, has moved to > "multi-factor authentication" without consultation and I can no longer > use gnus, for instance. Absolutely horrible. Ask your administrator to enable "Per Application Passwords" - https://docs.microsoft.com/en-us/azure/active-directory/user-help/multi-factor-authentication-end-user-app-passwords The idea here is that, if a human is logging in, they still provide two factors (something they know and something they have) via the TOTP mechanism. But for automated access, where an application is logging in on behalf of that user, the user generates a long one-off password ONLY for that application. This works a bit like an API key - password #1 is for gnus on laptop 1, password #2 is for Fetchmail on laptop 1, password #3 is for gnus on laptop 2 and so on. Each instance of an application gets its own long password. It's ostensibly more secure than storing the user's password in that application because: * Per-App passwords are computer-generated. They can be tested for high entropy and regenerated instantaneously, before a "good" password is offered to the user. (I don't know whether this is actually done, or whether it's just the output of a pRNG password generator) * Per-App passwords can be revoked without spoiling access to other applications. Did laptop 2 get stolen? Just revoke password #3 and you don't need to change the passwords stored on Laptop 1.
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature