TOTP apps support (sponsored)

[f1-outsourcing]

Hi,

Do you think you can add support TOTP apps? I open to sponsoring this. ;)

[bartnv]

I do intend to add this eventually. I actually started this plugin by cloning the twofactor_gauthenticator plugin. As a consequence, they are mutually exclusive right now. It would certainly be ideal to merge them into one.

Thank you for your offer, but money is not the obstacle here, my available time is. I'll see if I can give it some more attention the coming months.

[f1-outsourcing]

I do intend to add this eventually.

:) I have been trying to get this virtual yubi to work on my computer this weekend that would be even better. I was curious to see how your login screens looked like, because these twofactor_gauthenticator are bad with new theme/templates. But most people probably are going to scan totp qr codes.

I actually started this plugin by cloning the twofactor_gauthenticator plugin.

I don't think these guys are doing anything, they just merge pull requests. They use some old library to get qr codes from google so basically google has access to all tokens. Please don't do this also. I think everyone is moving to ec keys anyway, not sure if the keys from twofactor_gauthenticator are still considered secure.

Their qr scanning is not working when you have dark mode. An easy fix for this is adding 10 px white border to the qr code image, but I can't change this, because it is in some javascript blob.

I guess you need a totp library not? Because of these timeouts? Please use something small, maybe this: https://github.com/2amigos/2fa-library

This looks professional, but has lots of files, they did not answer my question if it works in air-gapped environment. So I guess it doesnt't? I don't even get why they would include remote ntp services. Afaik ntp is still mostly unsecured and thus it is possible to extended the totp time. They also don't get the concept of LTS versions and backporting, so that could mean that all of a sudden you are stuck with having a pile unsupported files. https://github.com/RobThree/TwoFactorAuth

This is what everyone seems to use for generating qr codes https://github.com/Bacon/BaconQrCode

As a consequence, they are mutually exclusive right now. It would certainly be ideal to merge them into one.

I am not going to use it. I am not sure if they considered implementing security properly. I am not sure if using so much javascript with authentication is even good. I prefer to see as much as possible done in php (server side)

Thank you for your offer, but money is not the obstacle here, my available time is. I'll see if I can give it some more attention the coming months.

I was trying to get to know a bit the plugins stuff in roundcube. I am testing a bit with creating the forms. (Actually studying this with your plugin :) ) It would be nice if more template files were just in /skins so it is easier to modify. Currently I am struggling getting the button to submit the values.

If there is anything I can do to help so we can speed this up a bit let me know ok?

[f1-outsourcing]

As a consequence, they are mutually exclusive right now.

I was testing with my demo plugin and noticed your javascript in my view source settings page. I assume this should only be loaded when I few your plugins settings is accessed? If I disable your plugin this code is not showing on my settings page.

... twofactor_webauthn.activate":"Activate","twofactor_webauthn.twofactor_webauthn":"Two-factor authentication","twofactor_webauthn.config":"Two-factor authentication","twofactor_webauthn.two_step_verification_form":"Two-factor authentication form","twofactor_weba ...

[f1-outsourcing]

Hi Bart,

I have found (I think) a good plugin, looks quite professionally done in the settings. hotp is not working and yubi key needs an api key??? But it can even store things in ldap https://github.com/thomascube/roundcube-plugin-kolab-2fa

I only needed to change/add this line to get it to work (could be that I was lucky with composer versions) $loader = require_once __DIR__ . '/vendor/autoload.php';

How do you handle requests of users that don't have access to their totp key any more? Maybe some cli needs to be added to delete configured keys? What I like about this twofactor_gauthenticator is that they have this auto enrolment of 2fa. I did not test it but, I guess it forces users (groups) to use 2fa.

Maybe nice idea if people having their own repos start joining efforts and maintain one plugin? ;) https://github.com/thomascube/roundcube-plugin-kolab-2fa https://github.com/kolbma/kolab_2fa https://github.com/alexandregz/twofactor_gauthenticator

[f1-outsourcing]

@alexandregz @bartnv Maybe you like to join efforts? I am not thinking of maintaining what I currently have[1]. Maybe it is something you like to use. It is a bit shitty that I could not use original/current source of https://git.kolab.org/diffusion/RPK/browse/master/plugins/kolab_2fa/, but then again there are not that many files. Searching for this kolab_2fa I found here and there some useful patches.

[1] https://github.com/f1-outsourcing/roundcube-2fa/tree/auto-enrollment