Kolab should support Two-factor Authentication first for Roundcube logins, but later also for #HKCCP logins and maybe at some point even for desktop clients.
There are two scenarios to take in to account, splitting this feature in to multiple milestones;
- The "single organization" deployment scenario, where an "employer" can give its "employees" a token (Yubikey, smart card, smart phone, ...) to become the OTP provider or second factor.
- A "hosted" scenario where "individuals" register, of which the provider cannot require any one certain piece of external tooling be in the customer's possession -- i.e. Kolab Now cannot require customers purchase a Yubikey.
A first (few) milestone(s) would simply allow a selected set of OTP/2nd-factor devices to be used in the required form.
A second set of milestones would aim for customer control over whether or not the OTP/2nd-factor is required for their individual account, with a selection of tokens/devices available.
The simplest implementation for client-side TOTP is here (Free, available for Android and iOS):
https://fedorahosted.org/freeotp/
Further considerations include:
- For some particular types of OTP to be validated, the server side is often required to store so much information, that it itself would be able to generate the next valid OTP, partly invalidating the purpose. A mitigation strategy is to aim for zero-proof one-time passwords, where the payload of credentials exchange never contains any actual credentials.
- For OTPs to apply to components like webmail, it is unreasonable to require an OTP with every single login event (especially with the webmail -> imap/smtp authentication). A mitigation strategy is to validate a session once (w/ the OTP/2nd-factor) and never again use any original set of credentials, but instead switch to token-based CAS.
- For OTPs to apply to components like IMAP/SMTP (i.e. desktop clients) requires some more thought -- a knock-knock mechanism comes to mind.