Page MenuHomePhorge

Two-factor Authentication
Open, NormalPublic

Description

Kolab should support Two-factor Authentication first for Roundcube logins, but later also for #HKCCP logins and maybe at some point even for desktop clients.

There are two scenarios to take in to account, splitting this feature in to multiple milestones;

  • The "single organization" deployment scenario, where an "employer" can give its "employees" a token (Yubikey, smart card, smart phone, ...) to become the OTP provider or second factor.
  • A "hosted" scenario where "individuals" register, of which the provider cannot require any one certain piece of external tooling be in the customer's possession -- i.e. Kolab Now cannot require customers purchase a Yubikey.

A first (few) milestone(s) would simply allow a selected set of OTP/2nd-factor devices to be used in the required form.

A second set of milestones would aim for customer control over whether or not the OTP/2nd-factor is required for their individual account, with a selection of tokens/devices available.

The simplest implementation for client-side TOTP is here (Free, available for Android and iOS):

https://fedorahosted.org/freeotp/

Further considerations include:

  • For some particular types of OTP to be validated, the server side is often required to store so much information, that it itself would be able to generate the next valid OTP, partly invalidating the purpose. A mitigation strategy is to aim for zero-proof one-time passwords, where the payload of credentials exchange never contains any actual credentials.
  • For OTPs to apply to components like webmail, it is unreasonable to require an OTP with every single login event (especially with the webmail -> imap/smtp authentication). A mitigation strategy is to validate a session once (w/ the OTP/2nd-factor) and never again use any original set of credentials, but instead switch to token-based CAS.
  • For OTPs to apply to components like IMAP/SMTP (i.e. desktop clients) requires some more thought -- a knock-knock mechanism comes to mind.

Details

Ticket Type
Epic

Related Objects

StatusAssignedTask
Wontfixvanmeeuwen
Wontfixvanmeeuwen
OpenNone
Openbruederli
Resolvedbruederli
Resolvedbruederli
OpenNone
Openbruederli
OpenNone
Resolvedvanmeeuwen
Resolvedvanmeeuwen
Resolvedvanmeeuwen
Resolvedvanmeeuwen
Resolvedvanmeeuwen
DuplicateNone
InvalidNone
Resolvedvanmeeuwen
Resolvedmachniak
OpenNone
Resolvedmachniak
OpenNone
OpenNone
OpenNone
OpenNone
Wontfixmachniak
OpenNone

Event Timeline

grote raised the priority of this task from to 60.
grote updated the task description. (Show Details)
grote changed Ticket Type from Task to Epic.
grote subscribed.

Getting OTP would be wonderful. I do own a Yubikey Edge, which is configured for OATH-HOTP and Challenge-Response HMAC-SHA1 (and U2F). I do use Challenge-Response for offline things like keepass, LUKS or Laptop-Login.

The HOTP-Token is registered in a privacyidea-server (other people might use linotp or something similar).
Right now it is used for remote login/VPN and I'd like to use it for Kolab too.

I don't want to use Yubico-Cloud and like to see Kolab using privacyidea as a backend, so the token most
probably doesn't get out of sync.

vanmeeuwen lowered the priority of this task from 60 to Normal.Mar 28 2019, 8:13 AM