Re: [kitten] Fwd: I-D Action: draft-melnikov-scram-2fa-00.txt

Alexey Melnikov <> Thu, 19 March 2020 16:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DCD743A08B8 for <>; Thu, 19 Mar 2020 09:24:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dDtnpGBvZAs6 for <>; Thu, 19 Mar 2020 09:24:25 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 5DF533A08B2 for <>; Thu, 19 Mar 2020 09:24:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1584635059;; s=june2016;; bh=6Ofug0pk0VQ+iuwI856gCCt7oWabJ+nr8Zfj0q/q7qQ=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=eJSFRE2+CGOZNAUtjO47baNEV9ezI9j40vmzVL5as398yaJufowYg0TPDBCq9Pev5R9jeM cL0pzDe9FW4g5XwDuNjzcyi9z3OM5Nf8kGPn8EHPGOOI36bPZzkhjjchxXPmWAFGAfGYqa RqEGtfwZn31mjiFmDhYYFFEHFIUkD2g=;
Received: from [] ( []) by (submission channel) via TCP with ESMTPSA id <>; Thu, 19 Mar 2020 16:24:19 +0000
To: Florian Schmaus <>,
References: <> <> <>
From: Alexey Melnikov <>
Message-ID: <>
Date: Thu, 19 Mar 2020 16:24:17 +0000
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0
In-Reply-To: <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-GB
Archived-At: <>
Subject: Re: [kitten] Fwd: I-D Action: draft-melnikov-scram-2fa-00.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 19 Mar 2020 16:24:27 -0000

Hi Florian,

On 19/03/2020 13:53, Florian Schmaus wrote:
> On 3/19/20 2:25 PM, Alexey Melnikov wrote:
>> Hi all,
>> As I had various conversations with people saying that SASL doesn't
>> support 2 factor authentication, I posted a short draft which shows how
>> to add 2 factor authentication to SCRAM. This is mostly a proof of
>> concept and I am planning to work on another draft explaining how to do
>> the same for SASL OAUTH.
>> (If I remember correctly I also talked to Dave Cridland about doing a
>> more generic extension to the SASL framework itself by allowing
>> protocols to invoke multiple SASL mechanism in a sequence and achieving
>> 2FA that way. I would be interested in developing this concept as well,
>> but it would take longer than just extending some existing SASL mechanisms.)
>> The IETF datatracker status page for this draft is:
>> If people can have a look and provide feedback, that would be much
>> appreciated.
> How does the client discover that the SCRAM 2FA extension is required?
> Is it encoded in the SASL mechanism name, akin to SCRAM -PLUS?

It could be done this way.

I was also thinking about not introducing new SASL mechanism names and 
just add a mandatory attribute in the first message from the server to 
the client.

If you have an opinion on these options, please let me know.

Best Regards,