MFA 2FA TOTP razz-ma-tazz!

WJCarpenter bill-dovecot at carpenter.org
Sat Oct 22 16:32:47 UTC 2016


I'd like to start offering my server's users multi-factor 
authentication. Right now, I funnel all authentication through dovecot. 
Before I get too far down the fantasy design path, I'm wondering if 
anyone else has already done this and could share some details or code. 
(I loaded up the subject line with acronyms to show how serious I am. :-))

I am specifically thinking of two-factor authentication using TOTP 
(time-based one-time passwords) as described in RFC-6238. Those are the 
ones compatible with Google Authenticator and compatible apps. I already 
am a user of those at several sites. Some of them don't have a separate 
opportunity to enter the 6-digit code. Instead, you append the 6-digit 
code to your normal password. If your config on the site shows you as a 
user of TOTP, they peel those trailing 6 digits off your password and 
then validate the rest of the password in the normal way. That is what I 
think I would do for dovecot authentication.

So, who's already done this or something like it?



More information about the dovecot mailing list