[horde] Any 2FA / MFA options which could work with Horde?

Sebastian Arcus s.arcus at open-t.co.uk
Wed Feb 15 12:22:20 UTC 2023 

Hi Rick,

On 14/02/2023 17:47, Rick Romero wrote:
>   Quoting Sebastian Arcus <s.arcus at open-t.co.uk>:
> 
>> This is a reluctant request, as per the details to follow.
>>
>> Short version first: is there any way of making Horde work with some 
>> sort of a 2FA / MFA system? I'm looking for the simplest option - even 
>> if it involves some sort of authentication hook linked to a bash 
>> script, which talks to a Windows app installed on the client 
>> workstation to pass a TOTP code to the user. Or any other similar 
>> adaptation.
>>
>> Long version: I've had Horde installed on a site and working for a 
>> good number of years. There is no access to Horde from the internet, 
>> only from internal network and through vpn. On the client side, users 
>> passwords are stored in the password manager and auto-filled - so that 
>> users are not psychologically accustomed to being asked to type their 
>> email password for any reason. I think this provides a pretty high 
>> level of protection against phishing attacks - specially as, even if a 
>> third party obtains emails passwords, it's not possible to gain access 
>> to the email system and data from outside the internal network.
>>
>> However, being an organisation operating in the legal field, the 
>> insurance company is adamant that we need to implement 2FA / MFA - 
>> otherwise the insurance premium would be much higher. It doesn't 
>> matter that I explained our setup to them, and how MFA / 2FA 
>> requirements would be of little value to a small setup where the 
>> server and email clients are inside the internal network, with no 
>> email client access from the internet side.
>>
>> Any suggestions much appreciated
> 
> I hooked PrivacyIdea into Horde a few years ago - but unfortunately I 
> don't remember exactly what I did.  I stopped as I needed to support 
> multiple domains and PIs 'realms' are defined by '@' - so there was a 
> conflict on the username.
> 
> Here's a thread with some options (which actually includes my post, I 
> guess I used Radius for user auth, and Dovecot's master password for 
> IMAP access while in testing.  IIRC, Radius auth used password+TOPT in 
> the password field)
> https://horde.horde.narkive.com/7NU1F96s/multi-factor-authentication
> 
> more info -
> http://janschneider.de/news/35

Thank you for those links. It's the first time I hear about PrivacyIdea. 
I use Lighttpd - maybe there is a way to make it work with PrivacyIdea. 
I will spend some time reading through their docs and see where I get. 
Thanks again for the suggestion

More information about the horde mailing list