PHPackages                             cherubimro/roundcube-fido2 - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. cherubimro/roundcube-fido2

ActiveRoundcube-plugin[Authentication &amp; Authorization](/categories/authentication)

cherubimro/roundcube-fido2
==========================

FIDO2/WebAuthn two-factor authentication for Roundcube Webmail

v1.0.1(4mo ago)025GPL-3.0-or-laterPHPPHP &gt;=8.1

Since Feb 23Pushed 4mo agoCompare

[ Source](https://github.com/cherubimro/roundcube-fido2)[ Packagist](https://packagist.org/packages/cherubimro/roundcube-fido2)[ Docs](https://github.com/cherubimro/roundcube-fido2)[ RSS](/packages/cherubimro-roundcube-fido2/feed)WikiDiscussions main Synced today

READMEChangelogDependencies (2)Versions (3)Used By (0)

Roundcube FIDO2/WebAuthn Two-Factor Authentication
==================================================

[](#roundcube-fido2webauthn-two-factor-authentication)

A Roundcube Webmail plugin that adds FIDO2/WebAuthn second-factor authentication using hardware security keys.

Users log in with their password first, then verify with a security key tap as a second factor. Supports YubiKey, Feitian BioPass, SoloKeys, Google Titan, and any FIDO2-compliant authenticator.

Requirements
------------

[](#requirements)

- Roundcube 1.6+
- PHP 8.1+
- HTTPS (WebAuthn requires a secure context)
- Composer

Installation
------------

[](#installation)

### Via Composer (recommended)

[](#via-composer-recommended)

From your Roundcube directory:

```
composer require cherubimro/roundcube-fido2
```

If the package isn't on Packagist yet, add the repository first in your Roundcube `composer.json`:

```
"repositories": [
    { "type": "vcs", "url": "https://github.com/cherubimro/roundcube-fido2" }
]
```

### Manual installation

[](#manual-installation)

Copy the plugin into your Roundcube `plugins/` directory as `webauthn`:

```
cd /path/to/roundcube
cp -r /path/to/roundcube-fido2 plugins/webauthn
cd plugins/webauthn
composer install --no-dev
```

Copy the example configuration and edit it:

```
cp config.inc.php.dist config.inc.php
```

At minimum, set the relying party ID to match your domain:

```
$config['webauthn_rp_id'] = 'mail.example.com';
```

Enable the plugin in Roundcube's `config/config.inc.php`:

```
$config['plugins'] = ['webauthn', /* other plugins */];
```

The database table is created automatically on first use.

Configuration
-------------

[](#configuration)

All settings go in `plugins/webauthn/config.inc.php`:

SettingDefaultDescription`webauthn_2fa_policy``optional``off` / `optional` / `required``webauthn_rp_name``Roundcube`Display name shown to users during ceremonies`webauthn_rp_id`auto-detectDomain name (e.g. `mail.example.com`). Must match the domain users access Roundcube on`webauthn_rp_origins``[]`Allowed origins array (e.g. `['https://mail.example.com']`). Empty = auto-detect`webauthn_timeout``60000`Ceremony timeout in milliseconds`webauthn_user_verification``preferred``preferred` / `required` / `discouraged``webauthn_attestation``none``none` / `indirect` / `direct``webauthn_attachment``''``''` (any) / `platform` / `cross-platform`### Policy modes

[](#policy-modes)

- **off** - Plugin disabled entirely.
- **optional** - Users choose whether to enable 2FA in Settings &gt; Security Keys. This is the default.
- **required** - All users with registered keys must pass 2FA. Users without keys are allowed through (so they can register their first key).

Usage
-----

[](#usage)

### Registering a key

[](#registering-a-key)

1. Log in to Roundcube.
2. Go to **Settings &gt; Security Keys**.
3. Click **Register New Key**.
4. Enter a name (e.g. "My YubiKey 5") and tap/touch your security key when prompted.
5. If policy is `optional`, toggle **Enable two-factor authentication**.

### Logging in with 2FA

[](#logging-in-with-2fa)

1. Enter your username and password as usual.
2. A verification page appears: "Please insert and tap your security key."
3. Tap your key. On success, you are redirected to your inbox.

### Managing keys

[](#managing-keys)

- Register multiple keys for redundancy.
- Delete keys from the settings page.
- When policy is `required`, the last key cannot be deleted.

Database
--------

[](#database)

The plugin creates a `webauthn_credentials` table automatically. SQL schemas for manual creation are in the `SQL/` directory:

- `SQL/mysql.sql`
- `SQL/postgres.sql`
- `SQL/sqlite.sql`

Security
--------

[](#security)

- Challenges are single-use (consumed immediately after verification).
- CSRF protection via Roundcube's built-in request token mechanism.
- Clone detection: signature counter must strictly increase; anomalies are logged and rejected.
- All database queries are scoped to the authenticated user ID.
- The 2FA gate runs on every request via the `startup` hook. Only the verification page, assertion endpoints, and logout are whitelisted while 2FA is pending.
- Credential IDs are stored as raw binary and compared byte-for-byte.

Supported databases
-------------------

[](#supported-databases)

MySQL/MariaDB, PostgreSQL, and SQLite are all supported with matching schemas.

Library
-------

[](#library)

Uses [lbuchs/webauthn](https://github.com/nicklatch/WebAuthn) v2.2 -- a zero-dependency PHP WebAuthn server library.

License
-------

[](#license)

GPL-3.0-or-later (same as Roundcube).

###  Health Score

35

—

LowBetter than 77% of packages

Maintenance76

Regular maintenance activity

Popularity7

Limited adoption so far

Community6

Small or concentrated contributor base

Maturity44

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~0 days

Total

2

Last Release

131d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/5915bdd98adaa3c914819ee2d5f3b64b89cfee5e5d8afaf62b4a726a5e2c36dc?d=identicon)[cherubimro](/maintainers/cherubimro)

---

Top Contributors

[![cherubimro](https://avatars.githubusercontent.com/u/64874305?v=4)](https://github.com/cherubimro "cherubimro (4 commits)")

---

Tags

pluginroundcube2faFIDO2webauthnyubikeysecurity-key

### Embed Badge

![Health badge](/badges/cherubimro-roundcube-fido2/health.svg)

```
[![Health](https://phpackages.com/badges/cherubimro-roundcube-fido2/health.svg)](https://phpackages.com/packages/cherubimro-roundcube-fido2)
```

###  Alternatives

[ellaisys/aws-cognito

Laravel Authentication using AWS Cognito (Web and API)

123256.9k1](/packages/ellaisys-aws-cognito)[web-auth/webauthn-lib

FIDO2/Webauthn Support For PHP

12310.5M135](/packages/web-auth-webauthn-lib)[web-auth/webauthn-framework

FIDO2/Webauthn library for PHP and Symfony Bundle.

515100.5k3](/packages/web-auth-webauthn-framework)[web-auth/webauthn-symfony-bundle

FIDO2/Webauthn Security Bundle For Symfony

66529.9k11](/packages/web-auth-webauthn-symfony-bundle)[simplesamlphp/simplesamlphp-module-webauthn

A PHP implementation of a FIDO2 / WebAuthn authentication agent

181.7k](/packages/simplesamlphp-simplesamlphp-module-webauthn)[jbtronics/2fa-webauthn

Webauthn Two-Factor-Authentication Plugin for scheb/2fa

1559.6k](/packages/jbtronics-2fa-webauthn)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
