I'd like to start offering my server's users multi-factor authentication. Right now, I funnel all authentication through dovecot. Before I get too far down the fantasy design path, I'm wondering if anyone else has already done this and could share some details or code. (I loaded up the subject line with acronyms to show how serious I am. :-)) I am specifically thinking of two-factor authentication using TOTP (time-based one-time passwords) as described in RFC-6238. Those are the ones compatible with Google Authenticator and compatible apps. I already am a user of those at several sites. Some of them don't have a separate opportunity to enter the 6-digit code. Instead, you append the 6-digit code to your normal password. If your config on the site shows you as a user of TOTP, they peel those trailing 6 digits off your password and then validate the rest of the password in the normal way. That is what I think I would do for dovecot authentication. So, who's already done this or something like it?