[horde] Any 2FA / MFA options which could work with Horde?
s.arcus at open-t.co.uk
Wed Feb 15 12:08:19 UTC 2023
On 14/02/2023 17:19, Brent wrote:
> Are you talking about just using the web interface, or are you talking
> about mobile devices that are using ActiveSync via a vpn connection? The
> folks are probably worried about people inside your network too...an
> internal virus that can compromise the system.
That is also true
> If just the web insterface, I would do this with SSL certificates to
> provide a "second factor" authentication. You can create identity certs
> that your web server (apache, for instance) would need to see before
> presenting users with the horde login screen. One could have a single
> company-wide cert that any device would need to have and then you'd get
> in; or, you could create individual user certs and have apache do a
> certificate verification against a Certificate Authority before
> presenting the login screen. I've not done it with Apache, but it should
> be doable and satisfy the MFA requirement. If someone leaves/quits, then
> the cert can be revoked. Even if they know logins, then they can't get
> in. This is generally required for PCI/Sox or HIPAA rules that must be
That is an interesting suggestion. I haven't considered client side
certificates as a form of MFA. I will take a closer look at it - thank
you for suggesting
> I don't see that Horde has any built-in MFA provisions.
> If you have devices and use ActiveSync, then I see that there is a
> client cert option shown in the UI. I've not used it personally, but the
> fact it is there means it "should" work.
Thank you - yes - that is definitely worth looking into
> Quoting Sebastian Arcus <s.arcus at open-t.co.uk>:
>> This is a reluctant request, as per the details to follow.
>> Short version first: is there any way of making Horde work with some
>> sort of a 2FA / MFA system? I'm looking for the simplest option - even
>> if it involves some sort of authentication hook linked to a bash
>> script, which talks to a Windows app installed on the client
>> workstation to pass a TOTP code to the user. Or any other similar
>> Long version: I've had Horde installed on a site and working for a
>> good number of years. There is no access to Horde from the internet,
>> only from internal network and through vpn. On the client side, users
>> passwords are stored in the password manager and auto-filled - so that
>> users are not psychologically accustomed to being asked to type their
>> email password for any reason. I think this provides a pretty high
>> level of protection against phishing attacks - specially as, even if a
>> third party obtains emails passwords, it's not possible to gain access
>> to the email system and data from outside the internal network.
>> However, being an organisation operating in the legal field, the
>> insurance company is adamant that we need to implement 2FA / MFA -
>> otherwise the insurance premium would be much higher. It doesn't
>> matter that I explained our setup to them, and how MFA / 2FA
>> requirements would be of little value to a small setup where the
>> server and email clients are inside the internal network, with no
>> email client access from the internet side.
>> Any suggestions much appreciated
>> Horde mailing list
>> Frequently Asked Questions: http://horde.org/faq/To unsubscribe, mail:
>> horde-unsubscribe at lists.horde.org
More information about the horde