[Feature Request] Go wild, go YubiKey!

[GwynethLlewelyn]

I know, I know, this is really going wild, but... who knows, perhaps you might have some spare time and try to integrate YubiKey as a valid 2FA mechanism? (it's just because it's so convenient — and even more secure — and YubiKeys are getting cheaper every day)

It seems to have been attempted in the past, before the new unified authentication mechanism was adopted: https://github.com/roundcube/roundcubemail/issues/1697

It's also a feature of RoundCube Plus (with a way fancy interface): https://roundcubeplus.com/tutorials/security/2fa-yubikey

Interestingly, Yubico did provide a library with a PHP class for YubiKey authentication, but they have deprecated it in favour of a 'unified' interface (see https://status.yubico.com/2021/04/15/one-api-yubico-com-one-http-get/). There are, however, some individuals still maintaining a PHP library; here on GitHub, @enygma still keeps the following library up to date: https://github.com/enygma/yubikey

Granted, I have no idea how complicated this might be to implement on your own plugin; the only reason for making the feature request here — as opposed to suggesting a new plugin for RoundCube! — is that I'd love to give users the option to use either TOTP authentication (using QR codes, etc., just like you do it), or YubiKey authentication, or both — and I'm pretty sure that separate plugins will mess that up in some mysterious way...

It's just an idea, mind you...

[alexandregz]

Hi @GwynethLlewelyn, coincidentally this month I bought two NFC Yubikeys. I'm waiting for the order, they have delay with orders: "We are still experiencing delays and we anticipate that your order will be fulfilled by mid-February or sooner"

So, maybe by mid-February I can begin to read and document about integrate Yubico keys with the plugin 😄

Thx for your feedback :-)

[GwynethLlewelyn]

Oh wow, this must be the quickest answer I've ever got on GitHub 🤣

In fact, I had long been 'romancing' the YubiKeys, but still found them too expensive for my tastes, until I got them for a bargain with a Cloudflare promotion. Sadly, that promotion is now over, but I'm sure that there will be more (perhaps from GitHub?).

Happy YubiKey-ing 😁

(Disclaimer: I'm not proficient in YubiKey programming; oh, sure, I signed up for their API keys and so forth, but I hardly have the time for another project...)

[listerr]

If you use one of the Yubikey's slots for FIDO2, it'll work nicely with webauthn:

https://plugins.roundcube.net/#/packages/mmvi/twofactor_webauthn

This plugin could use a little documentation, but it does seem to "just work" once you enable it.

I did manage to get the Yubikey OTP working with this plugin:

https://plugins.roundcube.net/#/packages/kolab/kolab_2fa

This plugin doesn't work properly out of the box, or really explain how to set it up.

You need to get a Yubico API key from: https://upgrade.yubico.com/getapikey/

Then configure it in kolab_2fa/config.inc.php:

// available methods/providers. Supported methods are: 'totp','hotp','yubikey'
$config['kolab_2fa_drivers'] = array('yubikey');

...

// configuration parameters for Yubikey (uncomment to adjust)
$config['kolab_2fa_yubikey'] = array(
    'clientid' => '123456',
    'apikey' => '<your-server-api-key>',
    // 'hosts'  => array('api.myhost1.com','api2.myhost.com'),
    'use_https' => true,  // connect via https if set to true
);

If you don't configured this, roundcube dies with an error, as it doesn't seem to do any sanity check before trying to call the Yubikey OTP.

I didn't manage to get kolab_2fa's totp or hotp options working though. Seems to use quite old drivers (or I have a version of php that's too new for it!) and it generates invalid QR codes which are not recognised by any authenticator apps.

Without that, there's no benefit for me (might as well just use webauthn), so I removed kolab_2fa for the time being and went back to twofactor_gauthenticator.

FIDO2 is arguably better as it's purely a hardware token and doesn't rely on Yubico's cloud API. Although the Yubico OTP is easier to set up for existing users as you don't have to enable FIDO2 on the Yubikey.

For now I've got both twofactor_webauthn and twofactor_gauthenticator enabled, but I have:

$rcmail_config['force_enrollment_users'] = false;

to allow users to change to webauthn instead. (No more 6 digit codes: just tap the Yubikey and done.)

In the settings, users have to deactivate their twofactor_gauthenticator TOTP and then add their yubikey(s) in webauthn and activate it. If a user has both twofactor_gauthenticator TOTP AND webauthn activated, then what happens is it asks for the Yubikey authentication and then seems twofactor_gauthenticator logs them out, even if they are not in $rcmail_config['users_allowed_2FA']

twofactor_webauthn currently has no backup mechanism: no Yubikey, no access. But there is an admin script provided to temporarily disable it.

What I need to figure out now is a way to authenticate IMAP devices e.g. "application-specific passwords" or using OAUTH2, but not all clients support OAUTH2. Having 2fa on roundcube is all rather pointless if the same credentials can be used with IMAP but no 2fa is required.

[PYU224]

Are you planning to not support Yubikey (FIDO2) with this plug-in alone?

[Daniel15]

Are you planning to not support Yubikey (FIDO2) with this plug-in alone?

Newer Yubikeys support FIDO2/WebAuthn so they're probably better suited to a WebAuthn plugin. Yubikey TOTP still exists but it's slowly being deprecated in favour of WebAuthn since it's more secure - TOTP keys are vulnerable to phishing whereas WebAuthn isn't.