Blog > TOTP-based Two Factor Authentication Passed QA

TOTP-based Two Factor Authentication Passed QA

In a previous blog post, I have told you about our experimenting with TOTP-based two factor authentication. It proves functional in the Cockpit and in the Web Client, so we’re preparing the promotion to production.

The promotion to production will require some reconfiguration of various pieces of infrastructure, not in the least the cockpit and web client. It’ll also mean we need to prevent people with a second factor configured from being able to log in to IMAP, POP, Managesieve, Submission, CalDAV, CardDAV, WebDAV and ActiveSync.

But Why?

Imagine you configure a second factor for your account. Now, you are required by the web client to supply your username, password and the TOTP code.

Now imagine you log on to the web client in a dodgy Internet cafe that uses key logging software to get your username and password.

While they’ll also get the TOTP code, it’s valid only once, for just under a minute, and they won’t be able to generate a new one. With the username and password though, they might still log on to IMAP directly (and thus get to your data), unless we either;

  • Block logins against IMAP for 2FA users,
  • Find some way to have regular client applications to support TOTP-based second factor authentication (hint: they don’t, and they can’t).

What Else?

Our support team is preparing FAQs, and Knowledge Base articles such documentation for Users and Group Managers — including recommendations for your path to recover from a stolen or lost smartphone, and instructions for Group Managers to reset a misplaced second factor device on behalf of a domain’s users.

Furthermore, we’ll need to ensure we rotate over various other pieces of infrastructure in proper fashion — meaning, without any disruption. That being said, we should be able to do so before the end of the week.

Stay tuned!