[horde] Any 2FA / MFA options which could work with Horde?

Sebastian Arcus s.arcus at open-t.co.uk
Wed Feb 15 12:08:19 UTC 2023 

Hi Brent,

On 14/02/2023 17:19, Brent wrote:
>   Are you talking about just using the web interface, or are you talking 
> about mobile devices that are using ActiveSync via a vpn connection? The 
> folks are probably worried about people inside your network too...an 
> internal virus that can compromise the system.

That is also true

> 
> If just the web insterface, I would do this with SSL certificates to 
> provide a "second factor" authentication. You can create identity certs 
> that your web server (apache, for instance) would need to see before 
> presenting users with the horde login screen. One could have a single 
> company-wide cert that any device would need to have and then you'd get 
> in; or, you could create individual user certs and have apache do a 
> certificate verification against a Certificate Authority before 
> presenting the login screen. I've not done it with Apache, but it should 
> be doable and satisfy the MFA requirement. If someone leaves/quits, then 
> the cert can be revoked. Even if they know logins, then they can't get 
> in. This is generally required for PCI/Sox or HIPAA rules that must be 
> followed.

That is an interesting suggestion. I haven't considered client side 
certificates as a form of MFA. I will take a closer look at it - thank 
you for suggesting


> 
> I don't see that Horde has any built-in MFA provisions.
> 
> If you have devices and use ActiveSync, then I see that there is a 
> client cert option shown in the UI. I've not used it personally, but the 
> fact it is there means it "should" work.

Thank you - yes - that is definitely worth looking into


> 
> brent
> 
> Quoting Sebastian Arcus <s.arcus at open-t.co.uk>:
> 
>> This is a reluctant request, as per the details to follow.
>>
>> Short version first: is there any way of making Horde work with some 
>> sort of a 2FA / MFA system? I'm looking for the simplest option - even 
>> if it involves some sort of authentication hook linked to a bash 
>> script, which talks to a Windows app installed on the client 
>> workstation to pass a TOTP code to the user. Or any other similar 
>> adaptation.
>>
>> Long version: I've had Horde installed on a site and working for a 
>> good number of years. There is no access to Horde from the internet, 
>> only from internal network and through vpn. On the client side, users 
>> passwords are stored in the password manager and auto-filled - so that 
>> users are not psychologically accustomed to being asked to type their 
>> email password for any reason. I think this provides a pretty high 
>> level of protection against phishing attacks - specially as, even if a 
>> third party obtains emails passwords, it's not possible to gain access 
>> to the email system and data from outside the internal network.
>>
>> However, being an organisation operating in the legal field, the 
>> insurance company is adamant that we need to implement 2FA / MFA - 
>> otherwise the insurance premium would be much higher. It doesn't 
>> matter that I explained our setup to them, and how MFA / 2FA 
>> requirements would be of little value to a small setup where the 
>> server and email clients are inside the internal network, with no 
>> email client access from the internet side.
>>
>> Any suggestions much appreciated
>>
>> -- 
>> Horde mailing list
>> Frequently Asked Questions: http://horde.org/faq/To unsubscribe, mail: 
>> horde-unsubscribe at lists.horde.org

More information about the horde mailing list