I wonder how long it'll be before large companies require DNSSEC (and verify) + TLS for delivering email 2FA codes.
My guess is never, despite the relative ease that those codes can be spied upon.
Conversation
Replying to
Likely never. But if you have the choice of sending a 2FA code to either GMail or an SMS target, pretty please, pick GMail.
1
2
1
It's less bad than SMS but barely anything will send email to Gmail with authenticated encryption because they only offer MTA-STS and while setting up receiving MTA-STS is just a minor pain, setting up outbound MTA-STS verification is far worse. Gmail's max-age is only 24h too.
Gmail similarly doesn't deploy enforcing DMARC so people can spoof mail from Gmail addresses to other providers unless they hard-wire enforcing DMARC for Gmail which they mostly don't do. They expect others to do it but aren't willing to deploy it due to users with bad setups.
Yep. My only assertion is that it’s, on average, markedly less bad than the way SMS will typically get from the 2FA service to the mobile device.
1