This RoundCube plugin adds the Google 2-step verification to the login proccess.
You can use google-authenticator and insert the secret generated into the config, also recovery codes
Some code by: Ricardo Signes Justin Buchanan Ricardo Iván Vieitez Parra
GoogleAuthenticator class by Michael Kliewe (to see secrets)
qrcode.js by ShimSangmin
Also thx to Victor R. Rodriguez Dominguez for some ideas and support
-
Clone from github: HOME_RC/plugins$ git clone https://github.com/alexandregz/twofactor_gauthenticator.git
-
Activate the plugin into HOME_RC/config/config.inc.php: $config['plugins'] = array('twofactor_gauthenticator');
Go to Settings task and activate (and save) into "2steps Google verification" menu.
The plugin creates automatically the secret if you doesn't this.
To add accounts to the app, you can use the QR-Code (easy-way) or type the secret.
Also, you can add "Recovery codes" for use one time (they delete when are used). Recovery codes are OPTIONAL, so they can not appears
If config value force_enrollment_users is true, ALL users needs to login with 2-step method. They receive alert message about that, and they can't skip without save configuration
If config value 2step_codes_on_login_form is true, 2-step codes (and recovery) must be sended with password value, append to this, from the login screen: "Normal" codes just following password (passswordCODE), recovery codes after two pipes (passsword||RECOVERYCODE)
Actually only into samefield branch
Codes have a 2*30 seconds clock tolerance, like by default with Google app (Maybe editable in future versions)
GPLv2, see License
Tested with RoundCube 0.9.5 and Google app. Also with Roundcube 1.0.4
Remember, sync time it's essential for TOTP: "For this to work, the clocks of the user's device and the server need to be roughly synchronized (the server will typically accept one-time passwords generated from timestamps that differ by ±1 from the client's timestamp)" (from http://en.wikipedia.org/wiki/Time-based_One-time_Password_Algorithm)
Alexandre Espinosa Menor [email protected]
Open issues using github, don't send me emails about that, please -usually Gmail marks messages like SPAM
You can use https://github.com/alexandregz/vagrant-twofactor_gauthenticator