Add OTP-based two-factor authentication to Roundcube. M3 provides a conceptual draft how this is supposed to work.
A Roundcube plugin for handling two-factor authentication shall be implemented, with a driver-based backend to support multiple methods (FreeOTP, Yubikey, etc.). Users can enable OTP for their account through the preferences by selecting one of the methods provided by the plugin.
The actual validation and storage of OTP secrets associated with a user account shall be handled by a service external to the Roundcube web server, only reachable through an API/RPC from the Roundcube server(s). This external "validation" service needs to be designed and implemented separately.