Experimenting with TOTP Two Factor Authentication

We’re currently experimenting with an implementation of TOTP-based 2 factor authentication, allowing our customers to use a second factor.

Until now, Kolab Now required its users to supply a username and a password. This is considered only a single factor, since the username is your email address and thus known to third parties.

User accounts could, in the near future, be configured such as to require a second factor; if the password to the account is something you know, then a second factor is something you have — in our case, a smartphone with an app.

It comes with a few connotations; only the web client supports 2-factor authentication (2FA). User accounts that are configured to require a second factor will therefore be blocked at the IMAP, POP, ActiveSync, CalDAV, CardDAV and WebDAV level. In other words, a 2FA account can only use the web client.

Stay tuned for updates on the implementation timeline, where we implement this new functionality in production.

4 thoughts on “Experimenting with TOTP Two Factor Authentication

  1. Sounds good, though perhaps unique device specific one-use passwords could solve the problem where 2FA accounts are blocked on every level which isn’t webmail?

    Webmail is supplementary to my mail experience, not core, except for when at work where I I’d rather not configure a personsal imap Account as it’s not my property.

    If 2FA with one use passwords comes in the future this would be awesome.

  2. +1 for the comment of Reuben James.
    Although I mostly use the webclient for writing e-mails due to a lack of working OSS desktop-solutions on Win10 (waiting for Kube, actually), the synchronization with CalDAV et al. is absolutely essential for all the mobile-stuff.

    But anyway it’s good to hear that you are working on 2FA!

  3. 2FA is a great idea, in itself.
    The experience I have I have using 2FA is with gmail and its two step verification process, using a cellphone to verify account ownership. This works well and it allows text or voice message to transfer a login code. A new code is provided, seemingly randomly generated, at each login attempt.
    There are problems with it however, which I will share below ;
    1) Cellphones are way insecure and I now get the gmail login code from two different origin tel numbers and google will not or cannot explain this.
    2) It has been easy to get locked out of the account if the cellphone becomes unavailable or is not working etc etc.
    With problem #1) above, suggest strong log in records showing who is logging in or who has logged in & when, with a record of the login Internet addresses being made available to the account owner, in the back office. This should include a system to warn of simultaneous login attempts and to warn all login attempters if someone else was successful first. Accounts should only be accessible from one MAC address, at any time. Also, using time checks to prevent bot login attempts is a good idea – only an attempt approx. every 6 seconds is allowed etc etc.
    Problem #2 above is best addressed by having a slick support system which can address this issue immediately, with an emergency login arrangement. Only let people who login with an emergency password see current and future emails only, until ownership is truly revealed.
    Also, users should keep a backup cheapie, flipphone at home, just for this emergency 2fa activity. Support could give full access to email if the code is sent to an already documented, backup flip-phone, instead of the lost or broken main, smartphone.
    The phones that are registered to the account plus the backup email should be sent a message that emergency login is in play, until account ownership is truly revealed.
    Hope this assists !
    best – geeken

    1. Hi geeken,

      If losing the phone is a concern, effectively loosing the second factor, our recommendation is to take a picture of the second factor QR code, print it, and delete the picture. Store the printed copy off-line, i.e. next to your passport, ID card, marriage license, birth certificate and/or other important documents.

      This would allow you to recover from a factory reset or loss of the phone — using the replacement.

      An alternative is to configure two separate second factors, and only print and store off-line the second one. This way, your path to recovery absent the primary second factor is even smoother.

Comments are closed.