View Issue Details

IDProjectCategoryView StatusLast Update
0002722SOGoWeb Generalpublic2020-05-07 20:52
Reporterjda Assigned Tofrancis  
PrioritynormalSeverityfeatureReproducibilityhave not tried
Status resolvedResolutionfixed 
Fixed in Version5.0.0 
Summary0002722: Feature request: add two factor authentication

Two-factor authentication would be a nice addition to the web-interface, as this might sometimes be used on hardware not under the users's/administrator's control. Many services have started to offer OATH TOTP/HOTP/OCRA two-factor authentication ant token generators are readily available.





2014-04-17 12:15

reporter   ~0006928

I agree that two-factor athentication would be nice. And I think that this can be achieved by SOGo supporting authentication against SASL socket (like e.g. Postfix do).

So the SOGo will not do the password matching itself (which requires acces to an SQL view with passwords) but will send the username and password to an authentication socket (can be provided e.g. by Dovecot). And this socket can do two-factor authentication - the password will have a fixed part + variable part generated by an OTP token.

User can compose this password itself (no other changes in SOGo needed) or there can be one more field in the SOGo login form and SOGo will concatenate the password parts:

Username: __
Password: __
Number from your token: ____

Beside that this approach (auth socket) will enable using much more hashing algorithms – SOGo don't have to support them itself, they will be provided by atuhentication backend (socket).

Workaround: use "LDAP simulator" (maybe OpenLDAP with custom backend) that will validate passwords build from fixed+variable parts.



2017-06-09 21:53

reporter   ~0011913

Last edited: 2017-06-09 21:54

Reported in 2014... It's 2017 and Security has never been more important. It would be great if Two-Factor Authentication could be implemented!



2017-06-12 07:02

reporter   ~0011917

I agree - 2fA implementation is overdue. Are there any plans for this?

Christian Mack

Christian Mack

2017-06-12 11:37

developer   ~0011919

There is SAML2 authentication already. That can provide multiple factor auth.



2017-06-13 09:50

reporter   ~0011924

Exactly. RedHat's keycloak IdP does that, for example. The only difficulty is getting imap to accept those same SAML2 credentials. We use for that:

Hope this helps you too.



2018-10-23 14:24

reporter   ~0013133

Any news about this feature?



2019-01-16 08:00

reporter   ~0013261

2FA maybe needed in the EU in the near future (see DSGVO). So are there any plans to implement this proofed technic?



2020-01-28 23:31

reporter   ~0014116

FreeOTP support?

Really needed...



2020-05-07 20:52

administrator   ~0014308

Google Authenticator is now supported.

Issue History

Date Modified Username Field Change
2014-04-17 08:16 jda New Issue
2014-04-17 12:15 franta Note Added: 0006928
2014-04-17 12:16 franta Tag Attached: authentication
2016-05-12 16:56 ludovic Severity minor => feature
2017-06-09 21:53 Sefer Note Added: 0011913
2017-06-09 21:54 Sefer Note Edited: 0011913
2017-06-09 21:54 Sefer Note Edited: 0011913
2017-06-12 07:02 nuwohg Note Added: 0011917
2017-06-12 11:37 Christian Mack Note Added: 0011919
2017-06-13 09:50 heupink Note Added: 0011924
2018-10-23 14:24 phatina Note Added: 0013133
2019-01-16 08:00 nuwohg Note Added: 0013261
2020-01-28 23:31 Neustradamus Note Added: 0014116
2020-05-07 20:52 francis Assigned To => francis
2020-05-07 20:52 francis Status new => resolved
2020-05-07 20:52 francis Resolution open => fixed
2020-05-07 20:52 francis Fixed in Version => 5.0.0
2020-05-07 20:52 francis Note Added: 0014308