[midPoint] Feature Request - Email Approval

Kyle Chau kylechaukccs at gmail.com
Sun Feb 8 09:11:05 CET 2026 

Dear Arnost,

  You are absolutely right pointing out the reliance on the email security
for this feature.

  Generally, security control on the following should be considered before
adopting any email approval:

   1. Adopting MFA for mailbox authentication.
   2. Enforcing SPF, DKIM, and DMARC to counter sending forging
   3. Enable end-to-end email encryption and signing (S/MIME). (To be added
   as part of the feature to validate email signature)
   4. Generate a nonce with configurable validity lifetime rather than
   relying on the workitem ID. (To be added as part of the feature)


Best Regards,
Kyle

On Thu, Feb 5, 2026 at 12:35 AM Arnošt Starosta via midPoint <
midpoint at lists.evolveum.com> wrote:

> Hi Kyle,
>
> I like the convenience of the feature but I'm very concerned about its
> security implications.
>
> The current email infrastructure is improving but still brittle as an
> authorization channel.
>
>    1. It's not a secure channel offering easy let alone default
>    end-to-end encryption.
>    2. Forging the senders identity may still be easy depending on domain
>    configuration and enforcement policies.
>    3. Workitem ID is not a secret value.
>    4. Time-limited token if used is not a secret value once transmitted
>    in plaintext over email. Moreover the necessary validity window in the
>    approval context is drastically different from password resets and similar
>    features.
>    5. Mailboxes remain among the most attacked resources online.
>
>
> There are multiple industry bodies explicitly warning against relying on
> email alone for authorization decisions.
>
> The service providers offering email-based approval should make these
> limitations clear.
>
> I would not use this feature given the current state of email security and
> would discourage clients from doing so without a thorough risk assessment.
>
> Best Regards,
> Arnost
>
> ------------------------------
> *From:* midPoint <midpoint-bounces at lists.evolveum.com> on behalf of Kyle
> Chau via midPoint <midpoint at lists.evolveum.com>
> *Sent:* Monday, February 2, 2026 3:35 PM
> *To:* midpoint at lists.evolveum.com <midpoint at lists.evolveum.com>
> *Cc:* Kyle Chau <kylechaukccs at gmail.com>
> *Subject:* [midPoint] Feature Request - Email Approval
>
> Dear MidPoint team,
>
>   I am interested in implementing an email approval feature as my
> individual contribution to the project. Would you please provide some
> insight on whether this suggestion would be accepted as a core feature? The
> implementation, from my understanding, involves the following:
>
>    - A sample message template that crafts the email approval content.
>    - A new task type for enabling and scheduling the mailbox processing.
>
>   I can contribute to the design and development of this feature for the
> next six months.
>
>   You may refer to the following for a high-level illustration on the
> proposal. Thank you.
>
>   Do let me know if you have any questions.
>
>
> https://github.com/KyleChaukccs/docs/blob/master/midpoint/features/planned/email-approval.adoc
>
>
> Best Regards,
> Kyle
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> https://lists.evolveum.com/mailman/listinfo/midpoint
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20260208/05886095/attachment.htm>

More information about the midPoint mailing list