[horde] multi-factor authentication

Bjoern Voigt bjoernv at arcor.de
Fri Mar 30 16:02:33 UTC 2018


Ralf Lang wrote:
> Vault doesn't really address what is needed here.
> There are two options here:
>
> - Delegate authentication to an auth provider (shibboleth, saml, openid
> connect, etc) and let them worry about 2-factor implementation
> - Build a 2-factor driver for horde
>
> Both are somehow on my list, but no specific timeline can be given.
> However, I am more interested in open solutions like TOTP/HOTP.
> Though I use commercial RSA SecurId tokens in my daily work, I have
> absolutely no interest in building a direct interface to the server
> component.
Ralf, you seem to know the Horde authentication code very good.

I think, some users need a quick (but not dirty) solution for Horde/IMP.

I think, Yubikeys and TOTP/HOTP solutions can be easily used in Horde.
The basic idea for services without an integrated 2FA module is to enter
a combined password <user password><2FA password>. Second factor
passwords have a fixed length. So the combined password can be splitted
with simple rules.

There is a hook "preauthenticate" in horde/config/hooks.php, which can
be used here. My idea is:

 1. Check the username, if 2FA is enabled for the user
 2. Consistency check, if there is a combined password
 3. Split the combined password
 4. Do the verification for the second factor password
 5. Return false, if the second factor password is wrong
 6. Return the first factor password within the "entry" array, if the
    second factor password is right

I haven't implemented this yet. But it should work.

I think the drawbacks would be:

  * Passwords can not be saved comfortable anymore, because you need a
    new combined password for each login
  * Activesync clients will fail for the same reason

Greetings,
Björn



More information about the horde mailing list