# Email Authentication and Autoconfig Standardization Update > [! note]- > The content of this page is generated by audio/video transcription and text transformation from the content and links of this source. Source: [https://fosdem.org/2025/schedule/event/fosdem-2025-4888-authentication-and-autoconfig-for-email-update-on-standardization-efforts/](https://fosdem.org/2025/schedule/event/fosdem-2025-4888-authentication-and-autoconfig-for-email-update-on-standardization-efforts/) <video src="https://video.fosdem.org/2025/k4601/fosdem-2025-4888-authentication-and-autoconfig-for-email-update-on-standardization-efforts.av1.webm" controls></video> ## Summary & Highlights: This session at FOSDEM 2025 explores the ongoing standardization efforts in email authentication and autoconfiguration. The speaker, Ben Bucksch, discusses the challenges of using passwords and presents alternatives such as OAuth2 and Passkeys. The discussion includes the benefits and drawbacks of these methods and the need for more reliable solutions to improve user experience and security. **Introduction to Email Authentication and Autoconfiguration** The session begins with an overview of the current issues in email authentication, particularly the reliance on passwords, which are often reused and insecure. It highlights the need for a more secure and user-friendly approach. **Challenges with OAuth2** OAuth2 is presented as a widely used solution, but it comes with significant challenges, especially for smaller email providers and open-source projects. The complexity of client registration and the lack of a standardized protocol make it difficult to implement effectively. **The Potential of Passkeys** Passkeys are introduced as a promising alternative, offering a more secure and user-friendly experience. The session details how Passkeys work and the ongoing efforts to standardize their use in email clients. **Strategic Choices and Trade-offs** The session concludes with a discussion of the strategic choices that need to be made in the standardization process, emphasizing the importance of community input and collaboration to ensure the best outcomes for all stakeholders. ## Importance for an eco-social transformation The session is crucial for eco-social transformation as it addresses the need for secure and inclusive digital communication. By improving email authentication and configuration, it enhances digital accessibility and security for all users, including those using open-source and community-driven platforms. Eco-social designers can leverage these standards to create more secure and user-friendly communication tools. Challenges include overcoming technical barriers, ensuring widespread adoption, and addressing potential anti-competitive behaviors by major providers. ## Slides: | | | | --- | --- | | ![[FOSDEM 2025/assets/Authentication-and-autoconfig-for-email-Update-on-/preview_001.jpg\|300]] | The first slide introduces the topic of multi-factor authentication for mail clients, emphasizing the need to move away from passwords. It sets the stage for exploring alternative authentication methods like OAuth2 and Passkeys to enhance email security. | ![[FOSDEM 2025/assets/Authentication-and-autoconfig-for-email-Update-on-/preview_002.jpg\|300]] | This slide provides background information on Ben Bucksch, highlighting his extensive experience in email authentication and configuration. It mentions his contributions to Thunderbird and various OAuth2 implementations for mail clients. | ![[FOSDEM 2025/assets/Authentication-and-autoconfig-for-email-Update-on-/preview_003.jpg\|300]] | The slide outlines the requirements from an end-user perspective, emphasizing the need for a simple setup process involving only an email address and password or multi-factor authentication. It stresses the importance of continuous mail checking without interruptions and strong security measures against unauthorized access. | ![[FOSDEM 2025/assets/Authentication-and-autoconfig-for-email-Update-on-/preview_004.jpg\|300]] | This slide discusses the autoconfiguration process, which has been in use for 15 years across multiple mail clients. It highlights the adoption of an IETF draft that could soon become an official RFC, and the upcoming launch of resources like ISPDB and autoconfigure.email to facilitate email setup. | ![[FOSDEM 2025/assets/Authentication-and-autoconfig-for-email-Update-on-/preview_005.jpg\|300]] | The slide provides a detailed XML configuration example for Microsoft 365, illustrating the autoconfiguration process for various services such as IMAP, SMTP, and OAuth2. It includes URLs for configuration specifications and highlights the use of well-known URLs for automatic email setup. | ![[FOSDEM 2025/assets/Authentication-and-autoconfig-for-email-Update-on-/preview_006.jpg\|300]] | This slide introduces PACC, an alternative autoconfiguration method that uses DNS SRV and JSON. It assumes certain best practices, like using the email address as the IMAP username, and requires mail providers to adapt their configurations accordingly. | ![[FOSDEM 2025/assets/Authentication-and-autoconfig-for-email-Update-on-/preview_007.jpg\|300]] | The slide emphasizes the need to eliminate passwords in favor of more secure methods like multi-factor authentication (MFA). It acknowledges the challenges OAuth2 presents for mail clients and introduces Passkeys as a potential solution. | ![[FOSDEM 2025/assets/Authentication-and-autoconfig-for-email-Update-on-/preview_008.jpg\|300]] | This slide identifies the main issues with OAuth2, such as configuration complexities, client registration, and token expiry. It highlights the need for a more defined protocol to address these challenges and improve reliability. | ![[FOSDEM 2025/assets/Authentication-and-autoconfig-for-email-Update-on-/preview_009.jpg\|300]] | The slide discusses the configuration challenges with OAuth2, noting that the specification does not define how to obtain configuration details, leading to hardcoded URLs and limited compatibility with smaller ISPs and self-hosted solutions. It suggests potential solutions like OpenID Connect and autoconfiguration. | ![[FOSDEM 2025/assets/Authentication-and-autoconfig-for-email-Update-on-/preview_010.jpg\|300]] | This slide explores the challenges of client registration in OAuth2, highlighting the anti-competitive practices of some ISPs that make registration difficult. It contrasts this with the open-source ethos and suggests potential solutions to simplify registration. | ![[FOSDEM 2025/assets/Authentication-and-autoconfig-for-email-Update-on-/preview_011.jpg\|300]] | The slide addresses the reliance on web browsers for OAuth2 authentication, which creates security and complexity issues, especially for non-UI clients. It suggests a simpler challenge/response mechanism as a potential solution. | ![[FOSDEM 2025/assets/Authentication-and-autoconfig-for-email-Update-on-/preview_012.jpg\|300]] | This slide discusses the unreliability of OAuth2 for email clients, noting the lack of hard guarantees and the tendency for users to blame the UI for failures. It emphasizes the need for a more reliable authentication method. | ![[FOSDEM 2025/assets/Authentication-and-autoconfig-for-email-Update-on-/preview_013.jpg\|300]] | The slide highlights the issue of token expiry in OAuth2, which can disrupt email access and complicate client libraries and application code. It contrasts this with the simplicity of username and password authentication. | ![[FOSDEM 2025/assets/Authentication-and-autoconfig-for-email-Update-on-/preview_014.jpg\|300]] | This slide addresses error handling challenges in OAuth2, noting the limitations of current error codes and the difficulty in providing meaningful feedback to users. It suggests specifying detailed error codes and messages to improve user experience. | ![[FOSDEM 2025/assets/Authentication-and-autoconfig-for-email-Update-on-/preview_015.jpg\|300]] | The slide compares password authentication with OAuth2, noting the simplicity and predictability of passwords. It argues for a more reliable two-factor authentication method for email clients, such as Mauth and autoconfiguration. | ![[FOSDEM 2025/assets/Authentication-and-autoconfig-for-email-Update-on-/preview_016.jpg\|300]] | This slide introduces an OAuth profile for open public clients, detailing the exact client flow and configuration requirements. It highlights the need for dynamic client registration and defines OAuth2 scopes and token expiry recommendations. | ![[FOSDEM 2025/assets/Authentication-and-autoconfig-for-email-Update-on-/preview_017.jpg\|300]] | The slide presents MAuth as an alternative to open public clients, featuring a hardcoded client ID and no token expiry. It defines detailed error codes and scopes for various email protocols. | ![[FOSDEM 2025/assets/Authentication-and-autoconfig-for-email-Update-on-/preview_018.jpg\|300]] | This slide introduces Passkeys as a SASL standard, emphasizing the need for free implementations to avoid vendor lock-in and ensure widespread adoption. | ![[FOSDEM 2025/assets/Authentication-and-autoconfig-for-email-Update-on-/preview_019.jpg\|300]] | The slide outlines the SASL Passkey process, detailing the steps involved in creating and using a Passkey for email authentication. It emphasizes the need for a reliable login retention mechanism like SASL Rememberme. | ![[FOSDEM 2025/assets/Authentication-and-autoconfig-for-email-Update-on-/preview_020.jpg\|300]] | This slide highlights the need for software development to support Passkeys, particularly on Linux. It calls for the definition of APIs and the implementation of Passkey managers to avoid vendor lock-in and ensure cross-platform compatibility. ## Links [Slides](https://fosdem.org/2025/events/attachments/fosdem-2025-4888-authentication-and-autoconfig-for-email-update-on-standardization-efforts/slides/238147/OAuth2_an_BjAPFHn.pdf) [Video recording (MP4)](https://video.fosdem.org/2025/k4601/fosdem-2025-4888-authentication-and-autoconfig-for-email-update-on-standardization-efforts.av1.mp4) [Video recording (AV1/WebM)](https://video.fosdem.org/2025/k4601/fosdem-2025-4888-authentication-and-autoconfig-for-email-update-on-standardization-efforts.av1.webm)