I started developing plugin for 2-step authentication using Time-based
One-Time-Passwords (TOTP) generated by Google Authenticator app for mobile
phones (wiki says it's actually a subset of RFC6238 and not a proprietary
It works with 1.4.x branch only and there are some issues which I'm
intended to fix, but I'd also like to hear some feedback.
How to test it:
1. You need iPhone or Android phone with Google Authenticator app
installed. On Linux, you can probably also use oathtool
extract it and install as usual.
3. Go to Options - Personal Information and look at the bottom - there
will be "Google Authenticator" section
4. Click the link to generate key - it will show you a QR code
5. Scan the QR code using Google Authenticator app on your phone
6. Sign Out of SquirrelMail
7. On the login form, there is a new field for entering one-time password
generated by app on the phone
Feel free to write your comments, suggestions, etc!
This post has NOT been accepted by the mailing list yet.
I was planning on getting Google Authentication working with SquirrelMail and then found your plugin. So I installed your plugin the other day and it works good.
Since I already had an idea of what I wanted it to do I modified your plugin a little for these changes.
(1) If you are not using Authenticator and someone enters a code, give the same error message as a bad username or password.
(2) When you change the key, have it generate a new key automatically but use a form field so that it can also be manually entered.
(3) When you submit the new key, give the option of entering your password. If your password is entered the secret key will be encrypted and not stored in clear text in the username.pref file.
(4) Have a page that displays the current 6 digit code, entering your password would be required on this page if you chose to have the secret key encrypted. That way you can make sure everything is working correctly and that your phone generates the same code before you log out.
(5) Store the last used code in the username.pref file. When you log in check that the code wasn't just used. That way it can only be used once.
Thanks for writing your plugin. I haven't written a plugin before but reading through you code gave me a good idea how it worked and it was fairly easy to make the minor changes that I wanted to try.