Home M3AAWG Blog Modern User Authentication for Email: Why Is It Needed, and What Could It Look Like?
Posted by the M3AAWG Content Manager

Modern authentication features (such as Multi-factor and Two-factor authentication (MFA/2FA), token-based auth, and auto-configuration) are commonly used in today's Internet applications.  These features enhance security for both end users and providers and are well known by today’s internet users.

Why We Need Modern User Authentication for Email

Email clients are a notable outlier, remaining mostly restricted to manual server configuration with username and password authentication.  If email clients adopted the standard authentication features used in most networked applications today, both security and the overall user experience would be significantly improved.

The Email Ecosystem Should Create and Encourage Modern Authentication Features

Email’s open standards architecture is its most compelling feature but also makes it difficult to drive change due to the vast number and types of stakeholders that exist in the ecosystem.  M3AAWG provides a unique opportunity to engage a broad sample of the email community due to the collection of senders, providers, infrastructure vendors, and standardization experts that are present, with the focus on security and user experience necessary to promote large-scale changes to email usage and behavior.

At M3AAWG 58 in Dublin, Ireland, as part of M3AAWG’s newly formed MFA/2FA Initiative, a session was held demonstrating why the email ecosystem should create and encourage modern authentication features in email.  The talk described why advanced authentication adoption has been slow in email, outlined necessary requirements to accomplish the goal, and proposed a working plan on how this goal can be achieved.  Additionally, a real-world case study from a Thunderbird email client developer was presented to explain and highlight current implementation difficulties, with proposals on how these problems can be addressed.

Looking Toward the Future

Two follow-up paths were identified. First, a standardized version of email connection autoconfiguration is going to be explored within an Internet Engineering Task Force (IETF) standards path. Autoconfiguration is necessary to use newer authentication methods, such as OAuth, and allows the provider-specific email account parameters to be determined without end-users needing to manually input technical configuration details.  Second, OAuth would need to be adapted to the needs of email client applications, which run on the user’s device, have long-running sessions for mail checks, and might not always have a web browser available. Specific proposals were made regarding how that could be accomplished.

M3AAWG members interested in this topic are encouraged to join the discussion by joining the initiative.  Participation in autoconfiguration standardization activities can be explored at https://www.bucksch.org/1/projects/autoconfiguration/.



The views expressed in DM3Z are those of the individual authors and do not necessarily reflect M3AAWG policy.