Difference between revisions of "Multi-factor Authentication"

[unchecked revision][checked revision]
m
Line 1: Line 1:
 
To increase security during the login process, multi-factor authentication (MFA) can be activated for users with ''MailStore-integrated'' authentication. MailStore supports ''Time-based One-time Password (TOTP)'' according to ''RFC 6238''.<br/><br/>
 
To increase security during the login process, multi-factor authentication (MFA) can be activated for users with ''MailStore-integrated'' authentication. MailStore supports ''Time-based One-time Password (TOTP)'' according to ''RFC 6238''.<br/><br/>
To do this, users need a TOTP capable device, e.g. a smartphone with an installed authenticator app.
+
To do this, users need a TOTP-capable device, e.g. a smartphone with an installed authenticator app.
  
 
<p class=msnote>'''Important notice:''' In order for valid one-time passwords (TOTP) to be generated, the system times of the MailStore Server and the end devices must be synchronized.</p>
 
<p class=msnote>'''Important notice:''' In order for valid one-time passwords (TOTP) to be generated, the system times of the MailStore Server and the end devices must be synchronized.</p>
Line 15: Line 15:
 
* Select the entry ''MailStore-integrated with MFA'' from the ''Authentication'' drop-down menu.
 
* Select the entry ''MailStore-integrated with MFA'' from the ''Authentication'' drop-down menu.
 
* Confirm with ''OK''.
 
* Confirm with ''OK''.
* The next time the user [[Multi-factor_Authentication#Login|logs in]] with an MFA capable client (MailStore Client, MailStore Outlook Add-In, Web Access), the user will be prompted to scan a QR code with a TOTP capable authenticator app (e.g. Google Authenticator), then enter an MFA code to complete the MFA configuration.
+
* The next time the user [[Multi-factor_Authentication#Login|logs in]] with an MFA-capable client (MailStore Client, MailStore Outlook Add-In, Web Access), the user will be prompted to scan a QR code with a TOTP-capable authenticator app (e.g. Google Authenticator), then enter an MFA code to complete the MFA configuration.
  
 
[[File:umgm_users_02_mfa.png|center|400px]]
 
[[File:umgm_users_02_mfa.png|center|400px]]
Line 44: Line 44:
 
=== Delete App passwords ===
 
=== Delete App passwords ===
  
If a user has created app passwords to continue using ''non-MFA capable clients'' (Scheduled Tasks, IMAP, Management API), you can delete them here.
+
If a user has created app passwords to continue using ''non MFA-capable clients'' (Scheduled Tasks, IMAP, Management API), you can delete them here.
 
<br/>
 
<br/>
 
If the user has not created any app passwords, this feature is not available.
 
If the user has not created any app passwords, this feature is not available.
Line 57: Line 57:
 
== Login ==
 
== Login ==
  
If multi-factor authentication has been activated for a user, the next time the user logs in with an MFA capable client (MailStore Client, MailStore Outlook Add-In, Web Access), the user will be prompted to scan a QR code with a TOTP capable authenticator app (e.g. Google Authenticator). This stores the previously generated secret into the app, and the app is able to generate valid one-time passwords.<br/>
+
If multi-factor authentication has been activated for a user, the next time the user logs in with an MFA-capable client (MailStore Client, MailStore Outlook Add-In, Web Access), the user will be prompted to scan a QR code with a TOTP-capable authenticator app (e.g. Google Authenticator). This stores the previously generated secret into the app, and the app is able to generate valid one-time passwords.<br/>
 
The secret is displayed below the QR code and can be copied to the clipboard with a double-click to be stored in a password manager.
 
The secret is displayed below the QR code and can be copied to the clipboard with a double-click to be stored in a password manager.
  
Line 78: Line 78:
 
== Management of app passwords ==
 
== Management of app passwords ==
  
Once multi-factor authentication has been enabled for a user, the normal password can no longer be used to log in with ''non-MFA capable clients''.<br/><br/>
+
Once multi-factor authentication has been enabled for a user, the normal password can no longer be used to log in with ''non MFA-capable clients''.<br/><br/>
''Non-MFA capable clients'' include:<br/>
+
''Non MFA-capable clients'' include:<br/>
 
* ''[[Email_Archiving_with_MailStore_Basics#Automating_Execution_of_E-mail_Client_or_E-mail_Files_Archiving_Profiles|Scheduled Tasks]]'', that use the MailStore Client in command line mode
 
* ''[[Email_Archiving_with_MailStore_Basics#Automating_Execution_of_E-mail_Client_or_E-mail_Files_Archiving_Profiles|Scheduled Tasks]]'', that use the MailStore Client in command line mode
 
* [[Accessing_the_Archive_via_Integrated_IMAP_Server|IMAP clients]]
 
* [[Accessing_the_Archive_via_Integrated_IMAP_Server|IMAP clients]]
Line 88: Line 88:
 
App passwords can only be managed via MailStore Client by users with ''MailStore-integrated'' authentication. In addition, the ''Change Password'' right is required.<br/>
 
App passwords can only be managed via MailStore Client by users with ''MailStore-integrated'' authentication. In addition, the ''Change Password'' right is required.<br/>
 
App passwords work even with MFA disabled.<br/>
 
App passwords work even with MFA disabled.<br/>
App passwords can never be used to login with MFA capable clients.
+
App passwords can never be used to login with MFA-capable clients.
  
 
* Log on to [[Accessing_the_Archive_with_the_MailStore_Client_software|MailStore Client]].
 
* Log on to [[Accessing_the_Archive_with_the_MailStore_Client_software|MailStore Client]].

Revision as of 11:24, 26 May 2023

To increase security during the login process, multi-factor authentication (MFA) can be activated for users with MailStore-integrated authentication. MailStore supports Time-based One-time Password (TOTP) according to RFC 6238.

To do this, users need a TOTP-capable device, e.g. a smartphone with an installed authenticator app.

Important notice: In order for valid one-time passwords (TOTP) to be generated, the system times of the MailStore Server and the end devices must be synchronized.

Configuration

Administrators are able to configure multi-factor authentication within user management.

Log in as a MailStore administrator via MailStore Client. Click Administrative Tools > Users and Archives and then click Users.

Activation

  • Open the properties of the user you want to enable MFA for.
  • Select the entry MailStore-integrated with MFA from the Authentication drop-down menu.
  • Confirm with OK.
  • The next time the user logs in with an MFA-capable client (MailStore Client, MailStore Outlook Add-In, Web Access), the user will be prompted to scan a QR code with a TOTP-capable authenticator app (e.g. Google Authenticator), then enter an MFA code to complete the MFA configuration.
Umgm users 02 mfa.png

Deactivation

  • Open the properties of the user you want to disable MFA for.
  • Select the entry MailStore-integrated from the Authentication drop-down menu.
  • Confirm with OK.
  • App passwords that may have been created remain in place and remain valid.
Umgm users 02.png

Reinitialize MFA

If a user lost the device on which MFA was set up, wants to set up MFA on a different device, or needs to set up MFA again for some other reason, you can reinitialize MFA. This generates a new secret from which the one-time passwords are derived.
The next time the user logs in, they will be prompted again to complete the MFA configuration.
If the user has not yet completed the MFA configuration with their device, this function is not available.

  • Open the properties of the user you want to reinitialize MFA for.
  • Click on the Commands button.
  • Click on Reinitialize MFA.
  • Confirm the operation.
Umgm users 02 mfa commands.png

Delete App passwords

If a user has created app passwords to continue using non MFA-capable clients (Scheduled Tasks, IMAP, Management API), you can delete them here.
If the user has not created any app passwords, this feature is not available.
App passwords can only be cleared in their entirety.

  • Open the properties of the user whose app passwords you want to delete.
  • Click the Commands button.
  • Click on Remove App Passwords.
  • Confirm the operation.

Login

If multi-factor authentication has been activated for a user, the next time the user logs in with an MFA-capable client (MailStore Client, MailStore Outlook Add-In, Web Access), the user will be prompted to scan a QR code with a TOTP-capable authenticator app (e.g. Google Authenticator). This stores the previously generated secret into the app, and the app is able to generate valid one-time passwords.
The secret is displayed below the QR code and can be copied to the clipboard with a double-click to be stored in a password manager.

Mfa finalize 02.png

If the QR code has been scanned and a valid MFA code has been entered, subsequent login attempts will only be asked for the MFA code.

Mfa codeonly 02.png

Trusted Devices

If the device from which the login is made is trusted, the option Trust this device for 14 days. can be set. When setting this option, an additional token is stored on the end device, which is sent with the login process.

Mfa codeonly trusted device 03.png

MailStore Client, Outlook Add-In and Web Access each save their own token.

The token for MailStore Client and the Outlook Add-In is stored in the Windows credential manager. It does not move with roaming profiles.

The token for Web Access is stored in the browser's Local Storage. When Web Access is accessed in the browser's Incognito mode, the token is not persisted in between browser sessions.

Management of app passwords

Once multi-factor authentication has been enabled for a user, the normal password can no longer be used to log in with non MFA-capable clients.

Non MFA-capable clients include:

To ensure that these clients can still be used, users can create app passwords. These passwords are generated by MailStore and are characterized by increased complexity.

App passwords can only be managed via MailStore Client by users with MailStore-integrated authentication. In addition, the Change Password right is required.
App passwords work even with MFA disabled.
App passwords can never be used to login with MFA-capable clients.

  • Log on to MailStore Client.
  • From the Start Page, click Manage Passwords.
  • The context names of the app passwords created so far are listed.
    App passwords manage.png
  • Click Add to add a new app password.
    App passwords create.png
  • App password context names must be unique and cannot contain the app password.
  • Highlight a name and click Delete to delete an app password.