Two Factor Authentication (2FA) at Kolab Now

NOTE: Please read the full article before proceeding with the configuration!

What is Two Factor Authentication

Two Factor Authentication (2FA) is a method that requires the input from two different sources for the authentication of a user on a system. Often these two factors are “something that you know” (your password), and “something that you have” (your smart-phone); Authentication now consists of confirming you know the combination of the username and password, and you have the smartphone that can generate a valid Time-based One-Time Password.

In contrast to a method which only requires input from one single source, e.g. the password, 2 Factor Authentication provides an extra level of protection, and the use of one-time passwords assures the credentials can not be replayed.

For more information, please take a look at this blogpost and Wikipedia.

2 Factor Authentication (2FA) at Kolab Now

2FA at Kolab Now involves the password prompt and a Time-based One-Time Password (TOTP) algorithm. The preferred provider of the TOTP is FreeOTP; an free and open source app for smart-phones ( It is available for iOS, Android and BlackBerry OS from your favorite app market.

Logging in to Kolab Now with 2FA

When you log in to the Web Client, you are requested to first enter your username and password.

 Upon submission, should a second factor be required for this account already, a new page will request the TOTP code.

Consult the FreeOTP app on your smart-phone and type in the 6 digit code presented.

You are now authenticated and logged in.

Configuring 2FA for a Single User Account

First enable 2 Factor Authentication in the Cockpit. Log in, find the ACCOUNT tab, and click EDIT ACCOUNT SETTINGS.

Find the 2 Factor Authentication checkbox and check it. Do not forget to click UPDATE

Login to the Web Client, and go to Settings -> Multi-Factor Auth, and select Mobile app (TOTP) from the drop-down menu.

A QR code appears with a name field and a verification field.

Give the token a meaningful name, such as the device this TOTP is configured for and…


..before clicking SAVE

   Open FreeOTP on the smart-phone, Press the little QR code icon in the top bar of the app, and fit the QR code into the given frame. FreeOTP will provide you a verification code that you enter in the verification code field.

NOTE: Applications like FreeOTP will prevent you from creating a screenshot on the smart-phone itself.

The TOTP token is now registered on the Kolab Now server, and 2FA is enabled for this user. The next time the user logs in, a TOTP code will be required.

Group Manager Accounts

A Group Manager is administering one or more user accounts through the HOSTING tab in the cockpit. When a Group Manager creates a new account, 2FA is not enforced. The Group Administrator will need to check the checkbox in the users profile, and the new user will need to go through the configuration.

Some older Group Manager Accounts has a specific admin user for administration, which is not a full user account (admin@yourdomain.tld can login to the cockpit, but not to the webmail).  Such accounts can not configure authentication to require a 2nd factor for the admin account (“admin@yourdomain.tld”).

Tips & Tricks

Using 2FA can give the impression that the value of the password is “less than before”. This is not the case. Users should always strive to make passwords as secure as possible;

If the smart-phone is lost, the TOTP token generator is lost with it. To make sure that the token can be recreated, and prevent being locked out from the account, it is important to save a printed screenshot of the QR code off-line before entering the verification code during configuration. A good location for such a printed copy would be next to your passport, marriage license, birth certificate, and such other important documents.

An alternative approach to printing your primary TOTP QR code for off-line storage is to create a secondary TOTP, and store that one off-line instead.

User accounts that are configured to require 2FA at login will only be able to use the web client, and will be blocked at the IMAP, POP, ActiveSync, CalDAV, CardDAV and WebDAV level.



Posted in Documentation and tagged , , , , .


  1. It’s great to finally see 2FA becoming available in Kolabnow. However, I think until there is the option to keep IMAP / ActiveSync etc. working, probably using application-specific passwords, as Google and Office 365 do, this implementation will not meet most potential users’ needs. Is the current implementation part of a phased approach, with the ability to provide access to client applications other than the web interface still to come?

    • Other solutions and service providers do not use the same Free Software we do — we use LDAP to store the user credentials, and supplemental access credentials would be valid across all applications.

      In other words, we could allow users to specific additional passwords, but those passwords would not be application-specific.

      I’m developing plans to implement 2FA properly, but I also have to take in to account a migration scenario for Kolab Now specifically.

    • I agree too. Two-stage verification is just as important as IMAP. If you can’t get rid of the web interface, it’s almost useless.

  2. While I really enjoy having 2FA on most of my devices and servers, my Kolabnow account can’t be used on my desktop with the IMAP restriction. However could there be plans or consideration to allow kolabnow to allow IMAP/sync/ local access from a third party such as outlook or thunderbird usage using a FIPS140-2 or FIDO2 U2A public/private stick or token (such as yubi or titan) for 2FA authentication?

    • Yes, we’re working hard on providing a proper, Free Software implementation of doing the same OTP-based 2FA across the board.

      We can definitely start with supporting a Yubikey, but we’d like the solution to be independent from any centralized service.

Leave a Reply

Your email address will not be published. Required fields are marked *