PHPackages bennet0496/kolab\_2fa - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. bennet0496/kolab\_2fa ActiveRoundcube-plugin[Authentication & Authorization](/categories/authentication) bennet0496/kolab\_2fa ===================== Kolab 2-Factor Authentication with Webauthn 4.0.7(3mo ago)013AGPL-3.0-or-laterPHPPHP >=8.2 Since Jan 13Pushed 3mo agoCompare [ Source](https://github.com/bennet0496/kolab_2fa_webauthn)[ Packagist](https://packagist.org/packages/bennet0496/kolab_2fa)[ Docs](https://github.com/bennet0496/kolab_2fa_webauthn)[ RSS](/packages/bennet0496-kolab-2fa/feed)WikiDiscussions main Synced 1mo ago READMEChangelogDependencies (6)Versions (9)Used By (0) Kolab Multi-Factor Authentication Plugin Fork ============================================= [](#kolab-multi-factor-authentication-plugin-fork) The plugin is designed to be a generic container for different 2nd factor authentication mechanisms paired with different ways to store the related data for Roundcube user accounts. Both drivers and storage backends are derived from abstract classes which define the common interface and are configurable. Forked to support Webauthn authentication. Also added authenticator selection for High Security dialog in settings, as well as verifying login (password) before prompting for 2FA. This prevents easy user enumeration, as sending down Webauthn "allowCredentials" before proper authentication, while not security critical would be definite proof of a user's existence. This Fork can not be used at the same time as the base version due to Class naming conflicts. However, it can be used as a drop-in replacement, as reuse of previously saved TOTP/HTOP/Yubikey tokens should just work. **Please back up your database before migrating!!!** Drivers ------- [](#drivers) Multiple methods for 2nd factor authentication can be enabled for the users to select from. This implementation covers TOTP, HOTP and Yubikey methods form the original implementation as well as Webauthn. TOTP (RFC 6238) and HOTP (RFC 4226) can be used in conjunction with freely available mobile phone apps like FreeOTP (TOTP only!) or Google Authenticator. To provision the app with your account settings, a QR code is displayed which can be scanned with the mobile phone camera. The Yubikey driver uses the Yubico Validation Service either by using the public YubiCloud API or another locally hosted verification server. The host(s) to use for validation are configurable. The Webauthn driver uses FIDO/U2F compliant authenticators or passkeys. Administrators may select with kind of authenticators to allow. I.e. cross-platform authenticator (like a Yubikey) or platform authenticator like Windows Hello or Touch ID. Aswell as whether user authentication (PIN entry/Biometrics) on the authenticator is required. Storage Backends ---------------- [](#storage-backends) Some authentication methods require to store secret data per user account on the server. For this, one of different storage backends can be selected: **Roundcube** The simplest way is to store authentication secrets and configuration in the user preferences of Roundcube itself. **LDAP** For an external storage option, the LDAP module can be used. This keeps the authentication data separated from the Roundcube user database. See //LDAP Storage// below for more information. The LDAP connection parameters are defined through the `kolab_2fa_storage_config` config option. **Untested with Webauthn**. Also, probably not useful for Webauthn as the "Phishing proof" nature due to cryptographic domain validation will probably not make them useful in other applications. Installation ------------ [](#installation) After placing the plugin contents into Roundcube's plugins directory, the 3rd party libraries need to be installed using Composer: ``` $ composer require "endroid/qrcode" "~1.5.0" --no-update $ composer require "spomky-labs/otphp" "~5.0.0" --no-update $ composer require "enygma/yubikey" "~3.2" $ composer require "web-auth/webauthn-lib" "^5.2" ``` See the `composer.json` file for the actual module names and versions. Configuration ------------- [](#configuration) Copy the sample `config.inc.php.dist` file into `config.inc.php` and adjust the settings according to your desired setup. All options are described with inline comments directly in the sample file. When using the LDAP storage together with a Kolab installation, you may want to save an additional LDAP lookup for authentication factors on every login, the LDAP driver can assign roles to the user record when registering authentication factors (see `user_roles` storage config option). With the following additions to the `kolab_auth` plugin config, these roles can be used to determine whether the user has multifactor authentication enabled: ``` // Disable lokkups by default: $config['kolab_2fa_check'] = false; // Enable 2nd factor lookup on a role-by-role basis $config['kolab_auth_role_settings'] = array( 'cn=totp-user,dc=example,dc=org' => array( 'kolab_2fa_check' => array( 'mode' => 'override', 'value' => true, ), ), ); ``` LDAP Storage ------------ [](#ldap-storage) Define an `organizationalunit` with DN `ou=Tokens,dc=example,dc=org` to store all authentication tokens. For token records, the \[\[ | FreeIPA OTP schema\]\] can be used. Please install this schema in your Kolab LDAP directory. This is an example record for a TOTP token registered to user : ``` dn: ipatokenUniqueID=totp:c4a1ced768a0da55df662e73,ou=Tokens,dc=example,dc=org objectClass: top objectClass: ipaToken objectClass: ipatokenTOTP objectClass: ldapSubEntry cn: Mobile App (TOTP) ipatokenUniqueID: totp:c4a1ced768a0da55df662e73 ipatokenOwner: uid=doe,ou=People,dc=example,dc=org ipatokenNotBefore: 201506110211Z ipatokenOTPkey: 4T5CI7SOKWYQ5JTM ipatokenDisabled: TRUE ``` ### Health Score 38 — LowBetter than 85% of packages Maintenance78 Regular maintenance activity Popularity6 Limited adoption so far Community10 Small or concentrated contributor base Maturity52 Maturing project, gaining track record Bus Factor1 Top contributor holds 50% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~0 days Total 8 Last Release 116d ago PHP version history (2 changes)4.0.0PHP >=8.1 4.0.1PHP >=8.2 ### Community Maintainers ![](https://www.gravatar.com/avatar/c24146bfa454c72a4142d06b8d49d55dd638d91bb3bd7e53a7221b945ac5a1aa?d=identicon)[bennet0496](/maintainers/bennet0496) --- Top Contributors [![bennet0496](https://avatars.githubusercontent.com/u/4955327?v=4)](https://github.com/bennet0496 "bennet0496 (46 commits)")[![alecpl](https://avatars.githubusercontent.com/u/546788?v=4)](https://github.com/alecpl "alecpl (43 commits)")[![cmollekopf](https://avatars.githubusercontent.com/u/8376746?v=4)](https://github.com/cmollekopf "cmollekopf (2 commits)")[![dhoffend](https://avatars.githubusercontent.com/u/466581?v=4)](https://github.com/dhoffend "dhoffend (1 commits)") ### Embed Badge ![Health badge](/badges/bennet0496-kolab-2fa/health.svg) ``` [![Health](https://phpackages.com/badges/bennet0496-kolab-2fa/health.svg)](https://phpackages.com/packages/bennet0496-kolab-2fa) ``` ### Alternatives [jeffgreco13/filament-breezy A custom package for Filament with login flow, profile and teams support. 1.0k1.7M41](/packages/jeffgreco13-filament-breezy)[scheb/2fa Two-factor authentication for Symfony applications (please use scheb/2fa-bundle to install) 578630.7k1](/packages/scheb-2fa)[vonage/jwt A standalone package for creating JWTs for Vonage APIs 424.1M4](/packages/vonage-jwt)[scheb/2fa-google-authenticator Extends scheb/2fa-bundle with two-factor authentication using Google Authenticator 298.2M30](/packages/scheb-2fa-google-authenticator)[microsoft/kiota-authentication-phpleague Authentication provider for Kiota using the PHP League OAuth 2.0 client to authenticate against the Microsoft Identity platform 153.2M7](/packages/microsoft-kiota-authentication-phpleague)[born05/craft-twofactorauthentication Craft 4 plugin for two-factor or two-step login using Time Based OTP. 36100.1k1](/packages/born05-craft-twofactorauthentication) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)