Adding Two-Factor Authentication to Roundcube

Posted by keith.wirch at June 28, 2014

Category: Email, Linux, Servers

Some of you may know I made my own email server.  I’ll not explain why yet (maybe in another blog post).  But it involves the decisions of certain government agency overreaching it bounds!  Not gonna go into that right now.

I use roundcube to have webmail access.  Having webmail just makes me uneasy because while it is convenient, it is also is a huge security risk.  So I started using two factor authentication.  I found a tutorial in a series that Arstechnica had up and I’m taking what I learned from them and applying it here.  This two-factor authentication is done by using a plugin for Roundcube called twofactor_gauthenticator.  I don’t really get why it says it uses Google Authentication when it really just uses RFC 6238 for TOTP (Time-Based One-time Passwords).  Which is really all that the Google Authenticator does I believe.  Maybe google came up with the RFC?  I dunno.  But it doesn’t really matter.  This plugin works with any application that uses RFC 6238 including the Windows Phone apps, which is what I use.

Now on to what you likely used a search engine to get here for.

This plugin will require php-soap according to the documentation.  It’s quite easy to get on Debian by using apt-get php-soap.  You Red Hat folks can probably use yum.

First you will need to login to linux server and navigate to your roundcube plugin location.  On debian servers, it is /usr/share/<your web server>/roundcube<version number>/plugins.

Then “git” the plugin.  You’ll need git in order to do this.  apt-get install git will grab it.  Then run this command.

git clone

Make sure you have permissons to write to this folder. And do an ls -l to make sure that the permissions to twofactor_gauthenticator match the rest of your plugin folders in this directory. lastly, go back to roundcube install folder (/usr/share/<your web server>/roundcube<version number>) and drop into the config folder. Open your main config file for editing and add twofactor_gauthenticator to the last line mentioning your plugins.

It should look something like this:
$config[‘plugins’] = array(‘plugin1’, ‘plugin2’, ‘twofactor_gauthenticator’);

Then just restart your web service. That’ll restart php and the like. Now login to roundcube and goto your settings. You should see “2steps Google Verification” like you see below.

Generate a secret and for the love of pete, set a recovery code. If you loose your phone or key somehow you are suck! So stuck!. Once you get your phone app setup, be sure to check your code at the bottom to make sure that it works. Once you hit save, login again and roundcube will ask for your new code. Enjoy the peice of mind my friends!


  1. orgunsky says

    Good post, thanks to have taken time to write it.
    Two words however:
    – don’t be really scared if you lose access. Just go to the roundcube database, find the table named “users” and edit it. Choose the right user and find the line where the twofactor_gauthenticator wrote “activate”;b:1 and replace it by “activate”;b:0. Go back to your roundcube login page and you have again the 1-step (login + password) authentication).
    – I finally remove this plugin because the two factor authentication is useless on roundcube if it isn’t available for the imap server itself. If someone has your login and password, he/she should directly connect on the imap server with any impa client (Outlook, Thunderbird … or his/her mobile phone app).

  2. Fraidon says

    Hi Keith,

    It is a very nice post from you. great job! thank you.

    Could you please tell us how to enforce users to use twofactor gauthenticator?
    second how to prevent users disabling twofactor gauthenticator in the tab settings > 2 steps Google… ?



  3. raghunath says

    Hi ,
    I have followed your Kb and sucessfully installed this. But now when I scan the QR code it shows incorrect code error .May I know why ?

    Also it show’s 2-twofactor_gauthenticator in roundcube not 2stpes google verififcation . Is that a issue?

    Please help

  4. Rama says

    This is a nice idea, but won’t fix security. Why? This does not protect IMAP, POP, SMTP. Once they get your username / password, the don’t need webmail anymore, they simply use those credentials to access email direct, and can send, receive email (bypassing webmail use altogether). 😉


Leave a comment

(required) (will not be published)