[conite]

Pity.

I have client data, so I have to be extra careful.

[anon(10728938)]

I have client data, so I have to be extra careful.

Do you honestly feel your 'client data" was in jeopardy due to using the BlackBerry Hub Inbox? Maybe you should write BlackBerry an email about it. I'm sure they would be interested to know why.

[conite]

Do you honestly feel your 'client data" was in jeopardy due to using the BlackBerry Hub Inbox? Maybe you should write BlackBerry an email about it. I'm sure they would be interested to know why.

It's more of a due diligence argument. Duty of care is easier to demonstrate when sticking with actively developed software.

[anon(10728938)]

It's more of a due diligence argument. Duty of care is easier to demonstrate when sticking with actively developed software.

So using BlackBerry Hub Inbox, to you, would represent a form of negligence toward your clients...even though there is no clear and imminent threat? Interesting.

Well I guess Gmail is free so perhaps you can give them a bit of a discount too, lol.

[conite]

So using BlackBerry Hub Inbox, to you, would represent a form of negligence toward your clients...even though there is no clear and imminent threat? Interesting.

Well I guess Gmail is free so perhaps you can give them a bit of a discount too, lol.

Negligence towards the client? Not necessarily. Doing a full comparative security risk assessment, however, is well above my pay grade.

But using actively developed and supported products gives me a stick if something bad ever happens. Hence a Pixel 5, running Android 11, with a Feb 2021 security patch, and the Gmail app (updated weekly).

[Chuck Finley69]

So using BlackBerry Hub Inbox, to you, would represent a form of negligence toward your clients...even though there is no clear and imminent threat? Interesting.

Well I guess Gmail is free so perhaps you can give them a bit of a discount too, lol.

In my case, my clients are protected by the security protocols of the vendors I use and whose security requirements I have to meet in communication with clients. Most of the industry uses Microsoft O365 for archiving, compliance and security protocols. The BBHub didn’t seem to be keeping up to DOL, SEC and FINRA standards.

[anon(10728938)]

In my case, my clients are protected by the security protocols of the vendors I use and whose security requirements I have to meet in communication with clients. Most of the industry uses Microsoft O365 for archiving, compliance and security protocols. The BBHub didn’t seem to be keeping up to DOL, SEC and FINRA standards.

Obviously Hub Inbox is compatible with 365 as long as an app password is used. Check. As for the other three you listed, I'd be curious to know how you found out whether or not it was compliant with any of them and who made that determination? "Didn't seem to be keeping up" isn't exactly a precise justification.

[Chuck Finley69]

Obviously Hub Inbox is compatible with 365 as long as an app password is used. Check. As for the other three you listed, I'd be curious to know how you found out whether or not it was compliant with any of them and who made that determination? "Didn't seem to be keeping up" isn't exactly a precise justification.

The SEC makes the the policies usually and the other agencies mirror the policies. Additionally, most institutions have other regulatory oversight and follow standards from those agencies too. Primary regulation is regarding privacy laws of customer information. You don’t think we get to determine or interpret what the regulators and E&O carriers do. It’s simply about liability. The standards are for 2FA now.

[anon(10728938)]

The SEC makes the the policies usually and the other agencies mirror the policies. Additionally, most institutions have other regulatory oversight and follow standards from those agencies too. Primary regulation is regarding privacy laws of customer information. You don’t think we get to determine or interpret what the regulators and E&O carriers do. It’s simply about liability. The standards are for 2FA now.

I don't follow your reasoning. You referenced three other standards in addition to the authentication method in your previous post: DOL, SEC and FINRA. App password is an acceptable workaround for Modern Auth. The other three you listed you seem to be ignoring. So is it safe to assume you have no idea whether Hub Inbox complies with these others?

[Chuck Finley69]

I don't follow your reasoning. You referenced three other standards in addition to the authentication method in your previous post: DOL, SEC and FINRA. App password is an acceptable workaround for Modern Auth. The other three you listed you seem to be ignoring. So is it safe to assume you have no idea whether Hub Inbox complies with these others?

It doesn't matter if some other method complies if my vendors don't think it's good enough or choose not to support. I require 2FA since my vendors require 2FA since either the regulators are there already or signalling to everyone that's where the ultimate destination is until the next upgraded standard.

[anon(10728938)]

It doesn't matter if some other method complies if my vendors don't think it's good enough or choose not to support. I require 2FA since my vendors require 2FA since either the regulators are there already or signalling to everyone that's where the ultimate destination is until the next upgraded standard.

You still haven't answered the question.

You guys sure have some convoluted justifications for not using Hub. Might as well say you just don't like it anymore and get it over with. At least that answer would make sense.

[Chuck Finley69]

You still haven't answered the question.

You guys sure have some convoluted justifications for not using Hub. Might as well say you just don't like it anymore and get it over with. At least that answer would make sense.

I don't use the hub because it's not secure enough for my vendors from their perspective in their regulatory environment.

What's the question for me beyond that?

[anon(10728938)]

I don't use the hub because it's not secure enough for my vendors from their perspective in their regulatory environment.

What's the question for me beyond that?

So your vendors told you they didn't want you as a supplier anymore unless you stopped using BlackBerry Hub as an email client? This keeps getting more and more interesting...

[conite]

You still haven't answered the question.

You guys sure have some convoluted justifications for not using Hub. Might as well say you just don't like it anymore and get it over with. At least that answer would make sense.

Why does compliance and due diligence seem convoluted?

[Chuck Finley69]

So your vendors told you they didn't want you as a supplier anymore unless you stopped using BlackBerry Hub as an email client? This keeps getting more and more interesting...

I'm an independent licensed retirement planner. My vendors are regulator approved providers of regulator approved services as outsourced third party.

[anon(10728938)]

Why does compliance and due diligence seem convoluted?

It's convoluted because you guys are trying to make it sound like you have high and mighty reasons for not using Hub when it basically boils down to a matter of personal preference. No one is going to reject your business, nor does it pose any reasonable liability, simply because you used BlackBerry Hub Inbox as an email client on your phone.

At least it made for an entertaining discussion. I appreciate your explanations.

[conite]

It's convoluted because you guys are trying to make it sound like you have high and mighty reasons for not using Hub when it basically boils down to a matter of personal preference. No one is going to reject your business, nor does it pose any reasonable liability, simply because you used BlackBerry Hub Inbox as an email client on your phone.

At least it made for an entertaining discussion. I appreciate your explanations.

There is nothing high and mighty about sticking with actively developed hardware and software. It's just being prudent and is good business.

Nor is it a unique perspective. It's pretty much at the top of the list of good security policy.

[Dunt Dunt Dunt]

It's convoluted because you guys are trying to make it sound like you have high and mighty reasons for not using Hub when it basically boils down to a matter of personal preference. No one is going to reject your business, nor does it pose any reasonable liability, simply because you used BlackBerry Hub Inbox as an email client on your phone.

At least it made for an entertaining discussion. I appreciate your explanations.

Most every email platform considers App Specific Passwords less secure... for many that is even the heading that option is found under..

You seem to not be able to understand that some companies simply refuse to allow less secure methods. It's not a question of is it safe or not, as it's not even a option some companies allow. There is no "less secure" method allowed.

Now if individual with their own accounts want to use a "less secure" option, I'm fine with that. And as long as you use a unique and complex password, I think it could be very safe. But I bet many here are using the same old password that they use everywhere... same as was used in several data leaks.

Me, I've been using unique passwords with every account or site I have. And if 2FA is an option, I enable that as well.

[anon(10728938)]

Most every email platform considers App Specific Passwords less secure... for many that is even the heading that option is found under..

You seem to not be able to understand that some companies simply refuse to allow less secure methods. It's not a question of is it safe or not, as it's not even a option some companies allow. There is no "less secure" method allowed.

Now if individual with their own accounts want to use a "less secure" option, I'm fine with that. And as long as you use a unique and complex password, I think it could be very safe. But I bet many here are using the same old password that they use everywhere... same as was used in several data leaks.

Me, I've been using unique passwords with every account or site I have. And if 2FA is an option, I enable that as well.

On the contrary, I fully understand that using an app password is not permitted by some organizations, which is specifically why I said I was in a privileged position to do so. I also fully understand some individuals are not in a position to have a say in the matter.

Having said that using an app password IS an acceptable (and necessary, for reasons of backwards compatibility) alternate AND secure solution.

As you pointed out yourself, using an app password or even a very secure password without Modern Auth doesn't necessarily make it any less secure. Particularly if an appropriate level of due diligence is exercised.

Glad you concur.

[pdr733]

On the contrary, I fully understand that using an app password is not permitted by some organizations, which is specifically why I said I was in a privileged position to do so. I also fully understand some individuals are not in a position to have a say in the matter.

Having said that using an app password IS an acceptable (and necessary, for reasons of backwards compatibility) alternate AND secure solution.

As you pointed out yourself, using an app password or even a very secure password without Modern Auth doesn't necessarily make it any less secure. Particularly if an appropriate level of due diligence is exercised.

Glad you concur.

I only disagree, and disagree completely with the BS you wrote earlier. Quote: (about multifactor auth)
"I still feel this is more about generating revenue from software licenses, protecting corporate cloud data, and tracking user activity than it is about security for the end user."

This is patently false. MFA is vendor independent (you dont need to involve Apple, Google or Microsoft), to my knowledge you dont necessarily need a software license from any big vendor, and you dont even need a smartphone (it can also be a physical security device, like a Yubikey or similar)
Everyone is entitled to use whatever solution they prefer and are comfortable with but please dont spread BS and untruths.

[anon(10728938)]

I only disagree, and disagree completely with the BS you wrote earlier. Quote: (about multifactor auth)
"I still feel this is more about generating revenue from software licenses, protecting corporate cloud data, and tracking user activity than it is about security for the end user."

This is patently false. MFA is vendor independent (you dont need to involve Apple, Google or Microsoft), to my knowledge you dont necessarily need a software license from any big vendor, and you dont even need a smartphone (it can also be a physical security device, like a Yubikey or similar)
Everyone is entitled to use whatever solution they prefer and are comfortable with but please dont spread BS and untruths.

Right. Well, let's see what happens when people using older versions of Microsoft Office that they paid hundreds of dollars for per license, aren't able to access their email via Outlook any longer and are required to enter into a subscription. Or the countless organizations that have already been forced to do so thanks to service agreements between Microsoft and their webhost, significantly increasing the cost of email service.

Then you can lecture me about how this isn't about money.

[pdr733]

Right. Well, let's see what happens when people using older versions of Microsoft Office that they paid hundreds of dollars for per license, aren't able to access their email via Outlook any longer and are required to enter into a subscription. Or the countless organizations that have already been forced to do so thanks to service agreements between Microsoft and their webhost, significantly increasing the cost of email service.

Then you can lecture me about how this isn't about money.

Please dont confuse a technology (multi factor auth) and its implementation (in this case by Microsoft). You can argue that MS's business practices are bad, but don't blame a technology for that. MFA can be deployed without any Microsoft stuff whatsoever.
So here in your story MS is or might be to blame and not MFA.

[app_Developer]

On the contrary, I fully understand that using an app password is not permitted by some organizations, which is specifically why I said I was in a privileged position to do so. I also fully understand some individuals are not in a position to have a say in the matter.

Having said that using an app password IS an acceptable (and necessary, for reasons of backwards compatibility) alternate AND secure solution.

As you pointed out yourself, using an app password or even a very secure password without Modern Auth doesn't necessarily make it any less secure. Particularly if an appropriate level of due diligence is exercised.

Glad you concur.

Describe in detail the process by which a user changes her app password, and it will be immediately obvious why this isn’t secure at scale.

Yeah, of course, for some 5 person mom and pop business you can make a lot of things work, but for large businesses who have access to sensitive information about millions of people, there are common standards that we all use. These are best practices. MFA is one of them.

BB should support it if they care about corporate users. If not, then that’s fine.

[anon(10728938)]

Describe in detail the process by which a user changes her app password, and it will be immediately obvious why this isn’t secure at scale.

Yeah, of course, for some 5 person mom and pop business you can make a lot of things work, but for large businesses who have access to sensitive information about millions of people, there are common standards that we all use. These are best practices. MFA is one of them.

BB should support it if they care about corporate users. If not, then that’s fine.

Non Modern Auth can also be secure "at scale" if it is being deployed properly. That was the point being made earlier, not the size of the business. I don't disagree it is easier and indeed even designed for large organizations to deploy securely.

If this discussion makes one thing clear, it is that BB Hub is clearly designed for, and being sold in, a consumer Android space. Its not an enterprise app nor is it even even branded as such. So it should be treated accordingly. But if you compare it to other apps also competing in that space, it still has some disinct advantages. Would it be any worse with Modern Auth support? Of course not. Is it automatically less secure without it? Not necessarily.

[conite]

But if you compare it to other apps also competing in that space, it still has some disinct advantages.

As an email client, what advantages does the HUB have today over modern, actively-supported products like Nine and Aqua?