Dear Support,

it is very nice that you have set up 2FA (TOTP) support for webmail. However, in this way the functionality is unfortunately insufficient, as no additional security is achieved.

Example:

My password is “simpler” and 2FA is enabled. In this situation, access to the webmailer is sufficiently protected, as a potential attacker would need to both guess or spy on the password and use the associated second factor (TOTP).
However, since only the webmailer is secured, this unfortunately does not help very much. Access via SMTP, CALDAV/CARDAV, ActiveSync, IMAP is unrestricted with the simple password without a second factor and thus full access to the respective mailbox is possible even without 2FA. SMTP and Activesync will also remain regularly accessible from the outside, as this is a desired functionality (IMAP could be protected via VPN).

Many other providers therefore go a different way. Each account has a password as well as optionally a second factor. Additionally, any number of other app passwords can be generated. The goal here is that these passwords are longer and more complex and only have to be stored once when configuring third-party software (email client, Activesync device, …).
(for example Google mail, Kerio Connect, MDaemon, …)

Will this also be implemented for Axigen in the future, since 2FA (TOTP) currently does not provide any security gain and is only “wastepaper”.

I hope the text is understandable, because it was partially generated with an automatic translator.

---> Any other idea is welcome, but 2FA only with webmail isn't sufficient to secure the Server and the mailbox because more ways to authenticate without 2FA are available (SMTP, IMAP, ActiveSync...). AppPasswords are also only a crutch but I think the most effective way.