IMAP Attacks Used to Bypass 2FA


#1

This is an interesting read this morning (for me at least):

I haven’t noticed any significant attacks against the protocol in a while, so this must be fairly targeted.


#2

I thought Google only allow “app passwords” for IMAP, rather than regular account passwords? At least for my legacy free Google Apps account, I need to use an app password for IMAP and SMTP.

I guess this is a reason my employer only allows apps that support two factor auth via ActiveSync or whatever the latest Microsoft protocol is (Outlook, Nine on Android), and new devices or apps that log in are temporarily quarantined until approved by IT.


#3

Premium, thats why you can disable IMAP when using Web + 2FA.
You “should” be able to disable it, hopefully.