Roundcube Community Forum

 

One Time Password

Started by helmutkaufmann, January 15, 2013, 07:54:23 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

helmutkaufmann

January 15, 2013, 07:54:23 AM Last Edit: January 15, 2013, 07:56:00 AM by helmutkaufmann
Hi,

Is there an option to use One Time Passwords with Roundcube without having to install an own authentication server (as it seems to be necessary with the OpenOTP plugin for Roundcube)? Should I have missed a posting, I'd appreciate being pointed to that posting.

Thanks a lot,
Helmut

SKaero

#1
January 15, 2013, 02:10:30 PM
RoundCube needs the imap account password to login into the mail server so a one time password system should be setup as part of the mail server authentication not RoundCube. Alternatively if you have no access to the mail server you could make a RoundCube plugin do it but it would be less secure.

helmutkaufmann

#2
January 16, 2013, 09:33:05 AM
Hi,

That I understand... The solution to that would be - as I think you suggested - would be a login plugin that handles the authentication with OTP and then reads the IMAP credentials from, e.g. a database. I cannot pass these on along with the OTP credential as anyone could just use it straight with the IMAPping server.

So, noone having done something like this for RC?

Thanks a lot,
Helmutz

SKaero

#3
January 16, 2013, 09:43:41 AM
To my knowledge there isn't currently a plugin that does that, but I don't think it would be to hard to code.

helmutkaufmann

#4
January 16, 2013, 03:05:20 PM
Thanks, folks!

If anyone is reading this some time in the future and implements it, please, do post the plugin. I think it would be of real value add - especially for people on the road, who read email on somehow untrusted devices...

Best,
Helmut

corbosman

#5
February 05, 2013, 04:17:21 PM
How do you read credentials from a database? Any serious authentication systems does not have access to plaintext credentials. Only one way hashed passwords.

I have implemented an OTP system on roundcube for our company. It's far from trivial.  I had the system that does the OTP verification create a Single Signon token for the webmail session, then return the SSO token to roundcube, and in a plugin I replace the password with the SSO. Our authentication backend behind imap can verify both passwords and SSOs. 

An easier (but to me less safe) way to do it is to use dovecot's master password option. Wouldnt be allowed in our company, but YMMV.

Cor
Print
Go Up Pages1
User actions