[horde] Any 2FA / MFA options which could work with Horde?

Rick Romero rick at havokmon.com
Tue Feb 14 17:47:53 UTC 2023

  Quoting Sebastian Arcus <s.arcus at open-t.co.uk>:

> This is a reluctant request, as per the details to follow.
> Short version first: is there any way of making Horde work with some  
> sort of a 2FA / MFA system? I'm looking for the simplest option -  
> even if it involves some sort of authentication hook linked to a  
> bash script, which talks to a Windows app installed on the client  
> workstation to pass a TOTP code to the user. Or any other similar  
> adaptation.
> Long version: I've had Horde installed on a site and working for a  
> good number of years. There is no access to Horde from the internet,  
> only from internal network and through vpn. On the client side,  
> users passwords are stored in the password manager and auto-filled -  
> so that users are not psychologically accustomed to being asked to  
> type their email password for any reason. I think this provides a  
> pretty high level of protection against phishing attacks - specially  
> as, even if a third party obtains emails passwords, it's not  
> possible to gain access to the email system and data from outside  
> the internal network.
> However, being an organisation operating in the legal field, the  
> insurance company is adamant that we need to implement 2FA / MFA -  
> otherwise the insurance premium would be much higher. It doesn't  
> matter that I explained our setup to them, and how MFA / 2FA  
> requirements would be of little value to a small setup where the  
> server and email clients are inside the internal network, with no  
> email client access from the internet side.
> Any suggestions much appreciated

I hooked PrivacyIdea into Horde a few years ago - but unfortunately I  
don't remember exactly what I did.  I stopped as I needed to support  
multiple domains and PIs 'realms' are defined by '@' - so there was a  
conflict on the username.

Here's a thread with some options (which actually includes my post, I  
guess I used Radius for user auth, and Dovecot's master password for  
IMAP access while in testing.  IIRC, Radius auth used password+TOPT in  
the password field)

more info - 


More information about the horde mailing list