View Issue Details

IDProjectCategoryView StatusLast Update
0002722SOGoWeb Generalpublic2020-05-07 16:52
Reporterjda Assigned Tofrancis  
PrioritynormalSeverityfeatureReproducibilityhave not tried
Status resolvedResolutionfixed 
Fixed in Version5.0.0 
Summary0002722: Feature request: add two factor authentication
Description

Two-factor authentication would be a nice addition to the web-interface, as this might sometimes be used on hardware not under the users's/administrator's control. Many services have started to offer OATH TOTP/HOTP/OCRA two-factor authentication ant token generators are readily available.

Tagsauthentication

Activities

franta

franta

2014-04-17 08:15

reporter   ~0006928

I agree that two-factor athentication would be nice. And I think that this can be achieved by SOGo supporting authentication against SASL socket (like e.g. Postfix do).

So the SOGo will not do the password matching itself (which requires acces to an SQL view with passwords) but will send the username and password to an authentication socket (can be provided e.g. by Dovecot). And this socket can do two-factor authentication - the password will have a fixed part + variable part generated by an OTP token.

User can compose this password itself (no other changes in SOGo needed) or there can be one more field in the SOGo login form and SOGo will concatenate the password parts:

Username: __
Password: __
Number from your token: ____

Beside that this approach (auth socket) will enable using much more hashing algorithms – SOGo don't have to support them itself, they will be provided by atuhentication backend (socket).

Workaround: use "LDAP simulator" (maybe OpenLDAP with custom backend) that will validate passwords build from fixed+variable parts.

Sefer

Sefer

2017-06-09 17:53

reporter   ~0011913

Last edited: 2017-06-09 17:54

View 3 revisions

Reported in 2014... It's 2017 and Security has never been more important. It would be great if Two-Factor Authentication could be implemented!

nuwohg

nuwohg

2017-06-12 03:02

reporter   ~0011917

I agree - 2fA implementation is overdue. Are there any plans for this?

Christian Mack

Christian Mack

2017-06-12 07:37

developer   ~0011919

There is SAML2 authentication already. That can provide multiple factor auth.

heupink

heupink

2017-06-13 05:50

reporter   ~0011924

Exactly. RedHat's keycloak IdP does that, for example. The only difficulty is getting imap to accept those same SAML2 credentials. We use for that:
https://github.com/ck-ws/pam-script-saml

Hope this helps you too.

phatina

phatina

2018-10-23 10:24

reporter   ~0013133

Any news about this feature?

nuwohg

nuwohg

2019-01-16 03:00

reporter   ~0013261

2FA maybe needed in the EU in the near future (see DSGVO). So are there any plans to implement this proofed technic?

Neustradamus

Neustradamus

2020-01-28 18:31

reporter   ~0014116

FreeOTP support?

Really needed...

francis

francis

2020-05-07 16:52

administrator   ~0014308

Google Authenticator is now supported.

Issue History

Date Modified Username Field Change
2014-04-17 04:16 jda New Issue
2014-04-17 08:15 franta Note Added: 0006928
2014-04-17 08:16 franta Tag Attached: authentication
2016-05-12 12:56 ludovic Severity minor => feature
2017-06-09 17:53 Sefer Note Added: 0011913
2017-06-09 17:54 Sefer Note Edited: 0011913 View Revisions
2017-06-09 17:54 Sefer Note Edited: 0011913 View Revisions
2017-06-12 03:02 nuwohg Note Added: 0011917
2017-06-12 07:37 Christian Mack Note Added: 0011919
2017-06-13 05:50 heupink Note Added: 0011924
2018-10-23 10:24 phatina Note Added: 0013133
2019-01-16 03:00 nuwohg Note Added: 0013261
2020-01-28 18:31 Neustradamus Note Added: 0014116
2020-05-07 16:52 francis Assigned To => francis
2020-05-07 16:52 francis Status new => resolved
2020-05-07 16:52 francis Resolution open => fixed
2020-05-07 16:52 francis Fixed in Version => 5.0.0
2020-05-07 16:52 francis Note Added: 0014308