Google Authenticator Plugin

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view

Google Authenticator Plugin

Alexey Shpakovsky

I started developing plugin for 2-step authentication using Time-based
One-Time-Passwords (TOTP) generated by Google Authenticator app for mobile
phones (wiki says it's actually a subset of RFC6238 and not a proprietary

It's based on Yubikey plugin and it's my first plugin so please feel free
to tell me if i'm doing something wrong (ok, I just found - that should be
next on my list).

It works with 1.4.x branch only and there are some issues which I'm
intended to fix, but I'd also like to hear some feedback.

How to test it:
1. You need iPhone or Android phone with Google Authenticator app
installed. On Linux, you can probably also use oathtool
2. Download,
extract it and install as usual.
3. Go to Options - Personal Information and look at the bottom - there
will be "Google Authenticator" section
4. Click the link to generate key - it will show you a QR code
5. Scan the QR code using Google Authenticator app on your phone
6. Sign Out of SquirrelMail
7. On the login form, there is a new field for entering one-time password
generated by app on the phone

Feel free to write your comments, suggestions, etc!


Android app:

iPhone app:

Linux command-line tool:

Download link, once again:

Wiki page:

Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
squirrelmail-plugins mailing list
Posting guidelines:
List address: [hidden email]
List archives:
List info (subscribe/unsubscribe/change options):
Reply | Threaded
Open this post in threaded view

Re: Google Authenticator Plugin

Craig S.
This post has NOT been accepted by the mailing list yet.

I was planning on getting Google Authentication working with SquirrelMail and then found your plugin. So I installed your plugin the other day and it works good.

Since I already had an idea of what I wanted it to do I modified your plugin a little for these changes.

(1) If you are not using Authenticator and someone enters a code, give the same error message as a bad username or password.

(2) When you change the key, have it generate a new key automatically but use a form field so that it can also be manually entered.

(3) When you submit the new key, give the option of entering your password. If your password is entered the secret key will be encrypted and not stored in clear text in the username.pref file.

(4) Have a page that displays the current 6 digit code, entering your password would be required on this page if you chose to have the secret key encrypted. That way you can make sure everything is working correctly and that your phone generates the same code before you log out.

(5) Store the last used code in the username.pref file. When you log in check that the code wasn't just used. That way it can only be used once.

Thanks for writing your plugin. I haven't written a plugin before but reading through you code gave me a good idea how it worked and it was fairly easy to make the minor changes that I wanted to try.