2fa - Europe - nis2

Problem reported by Sabatino - Today at 3:21 AM

Submitted

2FA - Europe - NIS2

Let's get ready.

In Europe, the NIS2 regulation is in place, and as time goes by, the requirements will become increasingly stringent.

Specifically, I was analyzing how SM manages 2FA for accounts, and I have a few observations to make.

Correct: When 2FA is set up for an account, complex IMAP/SMTP passwords are generated by the system...

Incorrect: If the user changes the account password, the complex IMAP/SMTP passwords are not regenerated. The user would have to do it manually. I believe this is the wrong approach, because if I change the password for security reasons (possible compromise or password expiration time limit, if set), the passwords for IMAP/SMTP services must also change.

Furthermore, as is already the case with other services (European certified email - certified email with legal validity in Europe), passwords for services must have a mandatory expiration time, as they are not linked to 2FA. In fact, a user might not change the account password since 2FA is still in place, but passwords for IMAP/SMTP services etc. cannot have an indefinite validity.

Sabatino Traini
Chief Information Officer

Genial s.r.l.
Martinsicuro - Italy

2 Replies

Reply to Thread

Douglas Foster Replied

Today at 8:29 AM

Wow. That creates a problem: how is the user informed that his password is about to expire and needs to be changed? Seems like he finds out after things break.

Derek Curtis Replied

Today at 9:10 AM

Employee Post

I've forwarded this to the devs. We'll take a look at how we can improve things on the Two-Step side to accommodate these needs. I'm interested in this discussion, though.

Derek Curtis COO SmarterTools Inc. www.smartertools.com

Back to Community Threads

Please leave this box unchecked

Reply to Thread

Enter the verification text