Hello roundcubies, I'm trying to get a specific configuration working and having some issues:
I see that roundcube uses IMAP authentication for user logins, but I'm trying to protect against keylogger attacks, i.e. logging in from a public kiosk or internet cafe or other untrusted client machine which very well may have a key stroke logger on it.
So naturally, OTP is of interest, since it's one time use, and it expires after a short duration. I was successful in configuring the twofactor_gauthenticator plugin, with the FreeOTP app on my phone, so I can log in using OTP - however this plugin requires you to enter your normal IMAP user password along with the OTP. So that's no good, because if someone captures the IMAP password, they can bypass Roundcube altogether and login directly via IMAP.
Next I tried the http_authentication plugin, which passes credentials to Roundcube, but that doesn't achieve the goal either, as you still have to enter your IMAP login to the browser, which then passes it to Roundcube.
The perfect solution would be twofactor_gauthenticator but without the requirement to enter the IMAP password. That doesn't appear to be supported though?
Does anyone know how I can authenticate users to Roundcube without having to type the IMAP password?
Thank you