[horde] Any 2FA / MFA options which could work with Horde?

[Brent]

  Are you talking about just using the web interface, or are you  
talking about mobile devices that are using ActiveSync via a vpn  
connection? The folks are probably worried about people inside your  
network too...an internal virus that can compromise the system.

If just the web insterface, I would do this with SSL certificates to  
provide a "second factor" authentication. You can create identity  
certs that your web server (apache, for instance) would need to see  
before presenting users with the horde login screen. One could have a  
single company-wide cert that any device would need to have and then  
you'd get in; or, you could create individual user certs and have  
apache do a certificate verification against a Certificate Authority  
before presenting the login screen. I've not done it with Apache, but  
it should be doable and satisfy the MFA requirement. If someone  
leaves/quits, then the cert can be revoked. Even if they know logins,  
then they can't get in. This is generally required for PCI/Sox or  
HIPAA rules that must be followed.

I don't see that Horde has any built-in MFA provisions.

If you have devices and use ActiveSync, then I see that there is a  
client cert option shown in the UI. I've not used it personally, but  
the fact it is there means it "should" work.

brent

Quoting Sebastian Arcus <s.arcus at open-t.co.uk>:

> This is a reluctant request, as per the details to follow.
>
> Short version first: is there any way of making Horde work with some  
> sort of a 2FA / MFA system? I'm looking for the simplest option -  
> even if it involves some sort of authentication hook linked to a  
> bash script, which talks to a Windows app installed on the client  
> workstation to pass a TOTP code to the user. Or any other similar  
> adaptation.
>
> Long version: I've had Horde installed on a site and working for a  
> good number of years. There is no access to Horde from the internet,  
> only from internal network and through vpn. On the client side,  
> users passwords are stored in the password manager and auto-filled -  
> so that users are not psychologically accustomed to being asked to  
> type their email password for any reason. I think this provides a  
> pretty high level of protection against phishing attacks - specially  
> as, even if a third party obtains emails passwords, it's not  
> possible to gain access to the email system and data from outside  
> the internal network.
>
> However, being an organisation operating in the legal field, the  
> insurance company is adamant that we need to implement 2FA / MFA -  
> otherwise the insurance premium would be much higher. It doesn't  
> matter that I explained our setup to them, and how MFA / 2FA  
> requirements would be of little value to a small setup where the  
> server and email clients are inside the internal network, with no  
> email client access from the internet side.
>
> Any suggestions much appreciated
>
> --
> Horde mailing list
> Frequently Asked Questions: http://horde.org/faq/To unsubscribe,  
> mail: horde-unsubscribe at lists.horde.org