I'd like to start offering my server's users multi-factor
authentication. Right now, I funnel all authentication through dovecot.
Before I get too far down the fantasy design path, I'm wondering if
anyone else has already done this and could share some details or code.
(I loaded up the subject line with acronyms to show how serious I am. :-))
I am specifically thinking of two-factor authentication using TOTP
(time-based one-time passwords) as described in RFC-6238. Those are the
ones compatible with Google Authenticator and compatible apps. I already
am a user of those at several sites. Some of them don't have a separate
opportunity to enter the 6-digit code. Instead, you append the 6-digit
code to your normal password. If your config on the site shows you as a
user of TOTP, they peel those trailing 6 digits off your password and
then validate the rest of the password in the normal way. That is what I
think I would do for dovecot authentication.
So, who's already done this or something like it?
