Frequently Asked Question
Info about TOTP - an open Two Factor alternative
Last Updated 8 months ago
All of our 2FA alternatives are used to strengthen and protect the login process for your account.
Most of them only works for our webmail interface, on the other hand our IMAP/SMTP-keys are at least 32 hexcharacter long, so they are already pretty protected from bruteforce guessing attacks, when using third party email clients.
Deeper info here about 2FA and TOTP:
A common misconception with TOTP is that it requires a mobilephone OR an Internet connection, which is does not. It only requres a clock that is pretty accurate, approx plus or minus 30 seconds maximum skew, compared to the real atomic time (NTP servers). And it does not require the same timezones between the server and the client.
Authy and Google Authenticator are two of several TOTP apps available for free. Which you can download from your Mobile Store App.
What happens if I lose my mobilephone?
When you activate any 2FA alternative, you will be asked to download and save a special 2FA-resetcode. This can be used to removed the 2FA login protection if you lost your mobile phone. Send an encrypted email with the 2FA-resetcode and include your CM-account name, send it to our email accounts[a]countermail.com. After we verified the resetcode, we will disable the 2FA for the specific CM account. Another type of backup and also a fully working TOTP app is the PHP script we made. So you actually dont need to download any app from your mobilephone App-store!
We have created our own 2FA PHP script (cm2fa_demo.zip ) as an example that it requires no Internet (or Mobile)
Linux and MacOS
You only need to install the commandline version of PHP (php-cli in Linux and Mac), common installation commands are "yum install php-cli" OR "apt-get install php-cli."
You can just download the latest PHP ZIP-file, and use the php.exe to run our script, same way as Linux, see further down: https://windows.php.net/downloads/qa/php-7.4.16RC1-Win32-vc15-x64.zip
Double-click the ZIP file to extract our PHP script (or extract it by mouse right clicking).
Usuage: Right click on the folder where you extracted the script, and select Open Terminal here (or Open in Terminal or similar selection in the right click menu).
In Windows you may need to start the Command-prompt, and lets say you extracted the ZIP file to c:\PHP: Then Write "cd php" first.
Write "php cm2fa_demo.php" and press Enter, this will show all calculated TOTP codes you have in your "database" (the secrets-array) in the script. We will release a more advanced version later, where you can add/remove sites even easier.
To add new sites:
Open the PHP-script (cm2fa_demo.php) with any decent texteditor like Wordpad or Gtext. We don't recommend windows Notepad, since its too simple and can't handle newlinefeeds for Linux etc. But Wordpad or Notepad++ should work for Windows. For Mac and Linux the "built in" texteditors works fine. Like GText and TextEdit.
You need to open/edit the file "cm2fa_demo.php" and have it ready (open) before you activate TOTP on any site.
Use copy & paste to paste the secretcode into the $secrets array. The array consists of two elements, The site name, you can select whatever name you want for the site you are adding, but the secret value must be exactly as it is shown on the screen(1) when you activate it, so we recommend copy & paste for the secret value. The array can asily be extended by just adding more rows if you want more sites.
In the next version we are also going to add AES256 encryption for the secrets array, so both the name and secret will be strongly encrypted, so in the next version you will get a password prompt when you start the script. (it will be possible to disable this feature if you want the array unencrypted).
(1) If they don't present the secret code on screen, and use a QR scancode instead, you can first install some free QR code reader, and use that app to get the secretcode, then use copy & and paste from the QR-code app into the $secrets-array in our PHP-script. We tested with the mobile app: "QR CODE READER - FREE", and it worked for us. Often they use both the QR scancode and below it, they also show the secretcode in clear text, then you don't need to scan the QR scancode, just copy and paste the secretcode directly into the $secrets-array in our PHP-script.