Multi-factor Authentication
To increase security during the login process, multi-factor authentication (MFA) can be activated for users with MailStore-integrated authentication. MailStore supports Time-based One-time Password (TOTP) according to RFC 6238.
To do this, users need a TOTP-enabled device, e.g. a smartphone with an installed authenticator app.
Important notice: In order for valid one-time passwords (TOTP) to be generated, the system times of the MailStore Server and the end devices must be synchronized.
Configuration
Administrators are able to configure multi-factor authentication in the user management.
Log in as a MailStore administrator via MailStore Client. Click Administrative Tools > Users and Archives and then click Users.
Activation
- Open the properties of the user you want to enable MFA for.
- Select the entry MailStore-integrated with MFA from the Authentication drop-down menu.
- Confirm with OK.
- The next time the user logs in with an MFA-enabled client (MailStore Client, MailStore Outlook Add-In, Web Access), the user will be prompted to scan a QR code with a TOTP-enabled authenticator app (e.g. Google Authenticator), then enter an MFA code to complete the MFA configuration.
Deactivation
- Open the properties of the user you want to disable MFA for.
- Select the entry MailStore-integrated from the Authentication drop-down menu.
- Confirm with OK.
- App passwords that may have been created remain in place and remain valid.
Reinitialize MFA
If a user lost the device on which MFA was set up, wants to set up MFA on a different device, or needs to set up MFA again for some other reason, you can reinitialize MFA. This generates a new secret from which the one-time passwords are derived.
The next time the user logs in, they will be prompted again to complete the MFA configuration.
If the user has not yet completed the MFA configuration with their device, this function is not available.
- Open the properties of the user you want to reinitialize MFA for.
- Click on the Commands button.
- Click on Reinitialize MFA.
- Confirm the operation.
Delete App passwords
If a user has created app passwords to continue using non-MFA enabled clients (Scheduled Tasks, IMAP, Management API), you can delete them here.
If the user has not created any app passwords, this feature is not available.
App passwords can only be cleared in their entirety.
- Open the properties of the user whose app passwords you want to delete.
- Click the Commands button.
- Click on Remove App Passwords.
- Confirm the operation.
Login
If multi-factor authentication has been activated for a user, the next time the user logs in with an MFA-enabled client (MailStore Client, MailStore Outlook Add-In, Web Access), the user will be prompted to scan a QR code with a TOTP-enabled authenticator app (e.g. Google Authenticator). This stores the previously generated secret into the app, and the app is able to generate valid one-time passwords.
The secret is displayed below the QR code and can be copied to the clipboard with a double-click to be stored in a password manager.
If the QR code has been scanned and a valid MFA code has been entered, subsequent login attempts will only be asked for the MFA code.
Trusted Devices
If the device from which the login is made is trusted, the option Trust this device for 14 days. can be set. When setting this option, an additional token is stored on the end device, which is sent with the login process.
MailStore Client, Outlook Add-In and Web Access each save their own token.
The token for MailStore Client and the Outlook Add-In is stored in the Windows credential manager. It does not move with roaming profiles.
The token for web access is stored in the browser's Local Storage. When Web Access is accessed in the browser's Incognito mode, the token is not persisted in between browser sessions.
Management of app passwords
Once multi-factor authentication has been enabled for a user, the normal password can no longer be used to log in with non-MFA enabled clients.
Non-MFA enabled clients include:
- Scheduled Tasks, that use the MailStore Client in command line mode
- IMAP clients
- Management-API clients, such as the Powershell API-Wrapper and the Python API-Wrapper
To ensure that these clients can still be used, users can create app passwords. These passwords are generated by MailStore and are characterized by increased complexity.
App passwords can only be managed via MailStore Client by users with MailStore-integrated authentication. In addition, the Change Password right is required.
App passwords work even with MFA disabled.
- Log on to MailStore Client.
- From the Home, click Manage Passwords.
- The context names of the app passwords created so far are listed.
- Click Add to add a new app password.
- Highlight a name and click Delete to delete an app password.