[Users] Does anyone knows how to setup 2FA on Open source? We are also using Zextras.

Ludo ludo at nomennesc.io
Wed Oct 25 19:56:57 CEST 2017 

PrivacyId3a [1] is a platform for managing two-factor tokens that integrates very nicely with simplesamlphp, I have it running in production on a setup elsewhere aswell to have 2FA on Zimbra.
A major problem however is that this only tackles webmail. Other protocols like IMAP, activesync, SMTP, etc. will still accept login/password without second factor.
To somewhat overcome this problem, I have Zimbra configured to authenticate to an external LDAP, separate from the simplesaml/privacyid3a chain. On this LDAP users are allowed to generate multiple userPassword entries (userPassword is a multi-value attribute in OpenLDAP) to create specific passwords to use for configuring their mailclients. These are long random passphrases that users only configure once and then forget, making them not quite as susceptible to phishing. The alternative would be to disable all services except for webmail.

Kind regards,

Ludo


[1] https://www.privacyidea.org


On Wed, Oct 25, 2017 at 07:25:28PM +0200, Barry de Graaff wrote:
> funny, we use phpsimplesaml with pre-auth as well and do have some 2FA standing by, but have not rolled that one 
> out to prod in fear of support calls :-p 
> 
> Kind regards, 
> 
> Barry de Graaff 
> Zeta Alliance Founder 
> zetalliance.org | github.com/Zimbra-Community 
> 
> +31 617 220 227 
> Fingerprint: 97f4694a1d9aedad012533db725ddd156d36a2d0 
> 
> 
> From: "Stefan Sänger" <stefan.saenger at gr13.net> 
> To: users at lists.zetalliance.org 
> Sent: Wednesday, 25 October, 2017 19:24:08 
> Subject: Re: [Users] Does anyone knows how to setup 2FA on Open source? We are also using Zextras. 
> 
> 
> 
> Hi All, 
> 
> well - I have been using simplesamlphp to actually perform 2FA - and yes, it also included preauth... If anybody is interested I can share the old code, since it was only a POC about 2 years ago... 
> 
> best regards, 
> 
> Stefan 
> 
> On 25.10.2017 19:21, Zeta Alliance Info wrote: 
> 
> 
> 
> Hi Dean, 
> 
> Not sure, some pre-authentication hacks come to mind, I will forward your request to the mailing list 
> you can subscribe to get the answers here: [ https://lists.zetalliance.org/mailman/listinfo/users_lists.zetalliance.org | https://lists.zetalliance.org/mailman/listinfo/users_lists.zetalliance.org ] 
> 
> Does anyone knows how to setup 2FA on Open source? We are also using Zextras. 
> 
> 
> 
> 
> From: [ mailto:deanw at hostedincanada.com | deanw at hostedincanada.com ] 
> To: [ mailto:info at zetalliance.org | info at zetalliance.org ] 
> Sent: Wednesday, 25 October, 2017 16:30:19 
> Subject: 2FA 
> 
> Morning Zeta Alliance, 
> 
> Just wondering if anyone knows how to setup 2FA on Open source? We are also using Zextra. 
> 
> Thanks! 
> 
> Dean Wolf C.C.P. 
> Director of Marketing 
> 
> 
> Ph: 403. 730.2040 (x207) 
> Toll free: 1-866.730.2040 
> 
> Need support now? [ http://support.hostedincanada.com/help/index.php | Click
>                             here ] ! 
> 
> 
> The information contained in this message is confidential. It is intended to be read only by the individual or entity named above or their designee. If the reader of this message is not the intended recipient, you are hereby notified that any distribution of this message, in any form, is strictly prohibited. If you have received this message in error, please immediately notify the sender and delete or destroy any copy of this message. 
> 
> 
> 
> 
>

More information about the Users mailing list