VPOP3 v7.8 supports Two Factor Authentication (2FA or TFA) for Webmail/admin access.
What is Two Factor Authentication
Two Factor Authentication requires the logging in user to enter their password as well as a one-time-password generated by an app or program which uses a special algorithm and a ‘secret’ to calculate the one-time-password. This means that unless you have access to that app/program with your personal ‘secret’, then you will not be able to log in. An observer cannot determine what your ‘secret’ is by looking at the one-time-password you enter, so they will not be able to calculate future one-time-passwords.
VPOP3 uses a ‘Time-based One-time password’ (TOTP) algorithm such as that supported by Google Authenticator. This means that the one-time password changes every 30 seconds using a standard algorithm, and an individual key (secret) which both the VPOP3 server and Google Authenticator know.
Enabling Two Factor Authentication
To enable Two Factor Authentication in VPOP3, go to Services -> Webmail -> Advanced and turn on ‘Support 2 Factor Authentication for Webmail/Admin‘.
Do NOT turn on Require 2 Factor Authentication for Admin area! If you do this, then you will instantly be logged out, because you are not using 2FA, and you will not be able to log back in, because you have not yet set up Google Authenticator with your individual ‘secret’.
Once you have everything set up and working, you can turn on the ‘Require 2 Factor Authentication for Admin area‘ option later.
Using Two Factor Authentication
First you need to get a TOTP program or app. I’d recommend getting Google Authenticator on your phone because that is probably always with you, and is usually separate from the PC where you are accessing VPOP3 from.
(Note that having your web browser remember your password and Google Authenticator on the same PC as the web browser is no more secure than single-factor authentication, because someone who gains access to your account on your PC has access to both your password and your 2FA secret)
Now, go to the Users list and edit the user you wish to use 2FA. Select the ‘Passwords‘ tab.
At the bottom, you will now see a QR code and ‘Google Auth Key’
If you have the Google Authenticator phone app, you can scan this QR code into the app, or you can type/copy the Google Auth Key into the software. (Note that some software may require you to trim off any trailing ‘=’ characters when entering it)
Now, if you try to log in as that user again, you will see a ‘2FA Password’ box. Type in the relevant 2FA password for the Google Authenticator app/program as well as your normal login details, and you’ll be able to log in.
If there’s a problem using the 2FA password, then if you leave the 2FA Password empty, you will be able to log in without it, as VPOP3 will, at the moment, allow you to log in either using the correct 2FA password, or no 2FA password at all.
Once you can log in using the 2FA password, you can tick the box in the user’s Password settings which says ‘Require Google 2FA (Webmail/admin only)‘. Once you have done that, then that user will no longer be able to log in without using their correct 2FA password (the option of not using a 2FA password at all will no longer work for this user).