[horde] Any 2FA / MFA options which could work with Horde?
Rick Romero
rick at havokmon.com
Tue Feb 14 17:47:53 UTC 2023
Quoting Sebastian Arcus <s.arcus at open-t.co.uk>:
> This is a reluctant request, as per the details to follow.
>
> Short version first: is there any way of making Horde work with some
> sort of a 2FA / MFA system? I'm looking for the simplest option -
> even if it involves some sort of authentication hook linked to a
> bash script, which talks to a Windows app installed on the client
> workstation to pass a TOTP code to the user. Or any other similar
> adaptation.
>
> Long version: I've had Horde installed on a site and working for a
> good number of years. There is no access to Horde from the internet,
> only from internal network and through vpn. On the client side,
> users passwords are stored in the password manager and auto-filled -
> so that users are not psychologically accustomed to being asked to
> type their email password for any reason. I think this provides a
> pretty high level of protection against phishing attacks - specially
> as, even if a third party obtains emails passwords, it's not
> possible to gain access to the email system and data from outside
> the internal network.
>
> However, being an organisation operating in the legal field, the
> insurance company is adamant that we need to implement 2FA / MFA -
> otherwise the insurance premium would be much higher. It doesn't
> matter that I explained our setup to them, and how MFA / 2FA
> requirements would be of little value to a small setup where the
> server and email clients are inside the internal network, with no
> email client access from the internet side.
>
> Any suggestions much appreciated
I hooked PrivacyIdea into Horde a few years ago - but unfortunately I
don't remember exactly what I did. I stopped as I needed to support
multiple domains and PIs 'realms' are defined by '@' - so there was a
conflict on the username.
Here's a thread with some options (which actually includes my post, I
guess I used Radius for user auth, and Dovecot's master password for
IMAP access while in testing. IIRC, Radius auth used password+TOPT in
the password field)
https://horde.horde.narkive.com/7NU1F96s/multi-factor-authentication
more info -
http://janschneider.de/news/35
Rick
More information about the horde
mailing list