Need help with twofactor_gauthenticator?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

152 Stars 48 Forks MIT License 197 Commits 33 Opened issues


This RoundCube plugin adds the 2-step verification(OTP) to the login proccess

Services available


Need anything else?

Contributors list

2Steps verification

This RoundCube plugin adds the 2-step verification(OTP) to the login proccess.

It works with all TOTP applications RFC 6238

Some code by: Ricardo Signes Justin Buchanan Ricardo Iván Vieitez Parra

GoogleAuthenticator class by Michael Kliewe (to see secrets)

qrcode.js by ShimSangmin

Also thx to Victor R. Rodriguez Dominguez for some ideas and support




(Or use composer HOMERC$ composer require alexandregz/twofactorgauthenticator:dev-master

NOTE: Answer N when composer ask you about plugin activation)

  • Activate the plugin into HOMERC/config/ $config['plugins'] = array('twofactorgauthenticator');


Go to the Settings task and in the "2steps Google verification" menu, click 'Setup all fields (needs Save)'.

The plugin automatically creates the secret for you.

NOTE: plugin must be base32 valid characters ([A-Z][2-7]), see


To add accounts to the app, you can use the QR-Code (easy-way) or type the secret. After checking the first code click 'Save'.

Settings by default

Settings OK

QR-Code example

Also, you can add "Recovery codes" for use one time (they delete when are used). Recovery codes are OPTIONAL, so they can be left blank.

Recovery codes

Check codes

Recovery codes

Enrollment Users

If config value forceenrollmentusers is true, ALL users needs to login with 2-step method. They receive alert message about that, and they can't skip without save configuration


If config value 2stepcodesonloginform is true, 2-step codes (and recovery) must be sended with password value, append to this, from the login screen: "Normal" codes just following password (passswordCODE), recovery codes after two pipes (passsword||RECOVERYCODE)

Actually only into samefield branch


Codes have a 2*30 seconds clock tolerance, like by default with Google app (Maybe editable in future versions)


MIT, see License


Tested with RoundCube 0.9.5 and Google app. Also with Roundcube 1.0.4

Remember, sync time it's essential for TOTP: "For this to work, the clocks of the user's device and the server need to be roughly synchronized (the server will typically accept one-time passwords generated from timestamps that differ by ±1 from the client's timestamp)" (from


Alexandre Espinosa Menor [email protected]


Open issues using github, don't send me emails about that, please -usually Gmail marks messages like SPAM


  • Vagrant:
  • Docker:

Using with Kolab

Add a symlink into the public_html/assets directory

Show explained by

Client implementations

You can use various OTP clients -link by


Suggested by [email protected]

To log errors with bad codes, change the $enablelogs variable to true.

The logs are stored to the file HOMERC/logs/logerrors_2FA.txt -directory must be created


You can define whitelist IPs into config file (see to automatic login -the plugin don't ask you for code


To deactivate the plugin, you can use two methods:

  • To only one user: restore the user prefs from DB to null (rouncubeDB.users.preferences) -the user plugin options stored there.

  • To all: remove the plugin from the plugin itself

Activate only for specific users

  • Use file (see example file)

  • Modify array usersallowed2FA with users that you want to use plugin. NOTE: you can use regular expressions

Use with 1.3.x version

Use 1.3.9-version branch

$ git checkout 1.3.9-version

If you download 1.4.x RC version (with elastic skin), use master version normally (thx to tborgans)

Elastic Skin start

Elastic Skin config

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.