Difference between revisions of "Multi-factor Authentication"

[unchecked revision][checked revision]
(Created page with "To increase security during the login process, multi-factor authentication (MFA) can be activated for users with ''MailStore-integrated'' authentication. MailStore supports ''...")
 
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
To increase security during the login process, multi-factor authentication (MFA) can be activated for users with ''MailStore-integrated'' authentication. MailStore supports ''Time-based One-time Password (TOTP)'' according to ''RFC 6238''.<br/><br/>
+
To increase security during the login process, multi-factor authentication (MFA) can be activated for MailStore users. MailStore supports ''Time-based One-time Password (TOTP)'' according to ''RFC 6238''.<br/><br/>
To do this, users need a TOTP-enabled device, e.g. a smartphone with an installed authenticator app.
+
To do this, users need a TOTP-capable device, e.g. a smartphone with an installed authenticator app.<br/><br/>
 +
MailStore does not request the second factor, when the user is authenticated by Windows Authentication (Single Sign-On) or OpenID Connect (Microsoft 365, ADFS, Google Workspace).<br/><br/>
 +
When MFA is enabled, users who authenticate against a directory service cannot utilize non-MFA-capable clients such as Scheduled Tasks, IMAP clients, or the Management API. This restriction is in place for security reasons. Due to MailStore’s internal management of app passwords (which are necessary for non-MFA-capable clients), a user could still log in to MailStore even if they are blocked in the directory service.
  
 
<p class=msnote>'''Important notice:''' In order for valid one-time passwords (TOTP) to be generated, the system times of the MailStore Server and the end devices must be synchronized.</p>
 
<p class=msnote>'''Important notice:''' In order for valid one-time passwords (TOTP) to be generated, the system times of the MailStore Server and the end devices must be synchronized.</p>
Line 6: Line 8:
 
== Configuration ==
 
== Configuration ==
  
Administrators are able to configure multi-factor authentication in the [[Users,_Folders_and_Settings|user management]].
+
Administrators are able to configure multi-factor authentication within [[Users,_Folders_and_Settings|user management]].
  
 
Log in as a MailStore administrator via MailStore Client. Click ''Administrative Tools'' > ''Users and Archives'' and then click ''Users''.
 
Log in as a MailStore administrator via MailStore Client. Click ''Administrative Tools'' > ''Users and Archives'' and then click ''Users''.
Line 13: Line 15:
  
 
* Open the properties of the user you want to enable MFA for.
 
* Open the properties of the user you want to enable MFA for.
* Select the entry ''MailStore-integrated with MFA'' from the ''Authentication'' drop-down menu.
+
* Check the option ''Multi-factor Authentication'' in the ''General Information'' section.
 
* Confirm with ''OK''.
 
* Confirm with ''OK''.
* The next time the user [[Multi-factor_authentication#Login|logs in]] with an MFA-enabled client (MailStore Client, MailStore Outlook Add-In, Web Access), the user will be prompted to scan a QR code with a TOTP-enabled authenticator app (e.g. Google Authenticator), then enter an MFA code to complete the MFA configuration.
+
* The next time the user [[Multi-factor_Authentication#Login|logs in]] with an MFA-capable client (MailStore Client, MailStore Outlook Add-In, Web Access), the user will be prompted to scan a QR code with a TOTP-capable authenticator app (e.g. Google Authenticator), then enter an MFA code to complete the MFA configuration.
  
 
[[File:umgm_users_02_mfa.png|center|400px]]
 
[[File:umgm_users_02_mfa.png|center|400px]]
Line 22: Line 24:
  
 
* Open the properties of the user you want to disable MFA for.
 
* Open the properties of the user you want to disable MFA for.
* Select the entry ''MailStore-integrated'' from the ''Authentication'' drop-down menu.
+
* Uncheck the option ''Multi-factor Authentication'' in the ''General Information'' section.
 
* Confirm with ''OK''.
 
* Confirm with ''OK''.
 
* App passwords that may have been created remain in place and remain valid.
 
* App passwords that may have been created remain in place and remain valid.
Line 31: Line 33:
  
 
If a user lost the device on which MFA was set up, wants to set up MFA on a different device, or needs to set up MFA again for some other reason, you can reinitialize MFA. This generates a new secret from which the one-time passwords are derived.<br/>
 
If a user lost the device on which MFA was set up, wants to set up MFA on a different device, or needs to set up MFA again for some other reason, you can reinitialize MFA. This generates a new secret from which the one-time passwords are derived.<br/>
The next time the user [[Multi-factor_authentication#Login|logs in]], they will be prompted again to complete the MFA configuration.
+
The next time the user [[Multi-factor_Authentication#Login|logs in]], they will be prompted again to complete the MFA configuration.
 
<br/>
 
<br/>
 
If the user has not yet completed the MFA configuration with their device, this function is not available.
 
If the user has not yet completed the MFA configuration with their device, this function is not available.
Line 44: Line 46:
 
=== Delete App passwords ===
 
=== Delete App passwords ===
  
If a user has created app passwords to continue using ''non-MFA enabled clients'' (Scheduled Tasks, IMAP, Management API), you can delete them here.
+
If a user has created app passwords to continue using ''non MFA-capable clients'' (Scheduled Tasks, IMAP, Management API), you can delete them here.
 
<br/>
 
<br/>
 
If the user has not created any app passwords, this feature is not available.
 
If the user has not created any app passwords, this feature is not available.
Line 57: Line 59:
 
== Login ==
 
== Login ==
  
If multi-factor authentication has been activated for a user, the next time the user logs in with an MFA-enabled client (MailStore Client, MailStore Outlook Add-In, Web Access), the user will be prompted to scan a QR code with a TOTP-enabled authenticator app (e.g. Google Authenticator). This stores the previously generated secret into the app, and the app is able to generate valid one-time passwords.<br/>
+
If multi-factor authentication has been activated for a user, the next time the user logs in with an MFA-capable client (MailStore Client, MailStore Outlook Add-In, Web Access), the user will be prompted to scan a QR code with a TOTP-capable authenticator app (e.g. Google Authenticator). This stores the previously generated secret into the app, and the app is able to generate valid one-time passwords.<br/>
 
The secret is displayed below the QR code and can be copied to the clipboard with a double-click to be stored in a password manager.
 
The secret is displayed below the QR code and can be copied to the clipboard with a double-click to be stored in a password manager.
  
Line 74: Line 76:
 
MailStore Client, Outlook Add-In and Web Access each save their own token.<br/><br/>
 
MailStore Client, Outlook Add-In and Web Access each save their own token.<br/><br/>
 
The token for MailStore Client and the Outlook Add-In is stored in the Windows credential manager. It does not move with roaming profiles.<br/><br/>
 
The token for MailStore Client and the Outlook Add-In is stored in the Windows credential manager. It does not move with roaming profiles.<br/><br/>
The token for web access is stored in the browser's ''Local Storage''. When Web Access is accessed in the browser's ''Incognito mode'', the token is not persisted in between browser sessions.
+
The token for Web Access is stored in the browser's ''Local Storage''. When Web Access is accessed in the browser's ''Incognito mode'', the token is not persisted in between browser sessions.
  
 
== Management of app passwords ==
 
== Management of app passwords ==
  
Once multi-factor authentication has been enabled for a user, the normal password can no longer be used to log in with ''non-MFA enabled clients''.<br/><br/>
+
Once multi-factor authentication has been enabled for a user, the normal password can no longer be used to log in with ''non MFA-capable clients''.<br/><br/>
''Non-MFA enabled clients'' include:<br/>
+
''Non MFA-capable clients'' include:<br/>
 
* ''[[Email_Archiving_with_MailStore_Basics#Automating_Execution_of_E-mail_Client_or_E-mail_Files_Archiving_Profiles|Scheduled Tasks]]'', that use the MailStore Client in command line mode
 
* ''[[Email_Archiving_with_MailStore_Basics#Automating_Execution_of_E-mail_Client_or_E-mail_Files_Archiving_Profiles|Scheduled Tasks]]'', that use the MailStore Client in command line mode
 
* [[Accessing_the_Archive_via_Integrated_IMAP_Server|IMAP clients]]
 
* [[Accessing_the_Archive_via_Integrated_IMAP_Server|IMAP clients]]
Line 87: Line 89:
  
 
App passwords can only be managed via MailStore Client by users with ''MailStore-integrated'' authentication. In addition, the ''Change Password'' right is required.<br/>
 
App passwords can only be managed via MailStore Client by users with ''MailStore-integrated'' authentication. In addition, the ''Change Password'' right is required.<br/>
App passwords work even with MFA disabled.
+
App passwords work even with MFA disabled.<br/>
 +
App passwords can never be used to login with MFA-capable clients.
  
* Log on to [[Access_via_the_MailStore_Client_Software|MailStore Client]].
+
* Log on to [[Accessing_the_Archive_with_the_MailStore_Client_software|MailStore Client]].
* From the ''Home'', click ''Manage Passwords''.
+
* From the ''Start Page'', click ''Manage Passwords''.
 
* The context names of the app passwords created so far are listed.
 
* The context names of the app passwords created so far are listed.
 
*: [[File:App_passwords_manage.png|center|400px]]
 
*: [[File:App_passwords_manage.png|center|400px]]
 
* Click ''Add'' to add a new app password.
 
* Click ''Add'' to add a new app password.
 
*: [[File:App_passwords_create.png|center|400px]]
 
*: [[File:App_passwords_create.png|center|400px]]
 +
* App password context names must be unique and cannot contain the app password.
 
* Highlight a name and click ''Delete'' to delete an app password.
 
* Highlight a name and click ''Delete'' to delete an app password.
  
 
[[de:Multi-Faktor-Authentifizierung]]
 
[[de:Multi-Faktor-Authentifizierung]]
[[en:Multi-Factor-Authentication]]
+
[[en:Multi-factor_Authentication]]

Latest revision as of 12:09, 28 March 2024

To increase security during the login process, multi-factor authentication (MFA) can be activated for MailStore users. MailStore supports Time-based One-time Password (TOTP) according to RFC 6238.

To do this, users need a TOTP-capable device, e.g. a smartphone with an installed authenticator app.

MailStore does not request the second factor, when the user is authenticated by Windows Authentication (Single Sign-On) or OpenID Connect (Microsoft 365, ADFS, Google Workspace).

When MFA is enabled, users who authenticate against a directory service cannot utilize non-MFA-capable clients such as Scheduled Tasks, IMAP clients, or the Management API. This restriction is in place for security reasons. Due to MailStore’s internal management of app passwords (which are necessary for non-MFA-capable clients), a user could still log in to MailStore even if they are blocked in the directory service.

Important notice: In order for valid one-time passwords (TOTP) to be generated, the system times of the MailStore Server and the end devices must be synchronized.

Configuration

Administrators are able to configure multi-factor authentication within user management.

Log in as a MailStore administrator via MailStore Client. Click Administrative Tools > Users and Archives and then click Users.

Activation

  • Open the properties of the user you want to enable MFA for.
  • Check the option Multi-factor Authentication in the General Information section.
  • Confirm with OK.
  • The next time the user logs in with an MFA-capable client (MailStore Client, MailStore Outlook Add-In, Web Access), the user will be prompted to scan a QR code with a TOTP-capable authenticator app (e.g. Google Authenticator), then enter an MFA code to complete the MFA configuration.
Umgm users 02 mfa.png

Deactivation

  • Open the properties of the user you want to disable MFA for.
  • Uncheck the option Multi-factor Authentication in the General Information section.
  • Confirm with OK.
  • App passwords that may have been created remain in place and remain valid.
Umgm users 02.png

Reinitialize MFA

If a user lost the device on which MFA was set up, wants to set up MFA on a different device, or needs to set up MFA again for some other reason, you can reinitialize MFA. This generates a new secret from which the one-time passwords are derived.
The next time the user logs in, they will be prompted again to complete the MFA configuration.
If the user has not yet completed the MFA configuration with their device, this function is not available.

  • Open the properties of the user you want to reinitialize MFA for.
  • Click on the Commands button.
  • Click on Reinitialize MFA.
  • Confirm the operation.
Umgm users 02 mfa commands.png

Delete App passwords

If a user has created app passwords to continue using non MFA-capable clients (Scheduled Tasks, IMAP, Management API), you can delete them here.
If the user has not created any app passwords, this feature is not available.
App passwords can only be cleared in their entirety.

  • Open the properties of the user whose app passwords you want to delete.
  • Click the Commands button.
  • Click on Remove App Passwords.
  • Confirm the operation.

Login

If multi-factor authentication has been activated for a user, the next time the user logs in with an MFA-capable client (MailStore Client, MailStore Outlook Add-In, Web Access), the user will be prompted to scan a QR code with a TOTP-capable authenticator app (e.g. Google Authenticator). This stores the previously generated secret into the app, and the app is able to generate valid one-time passwords.
The secret is displayed below the QR code and can be copied to the clipboard with a double-click to be stored in a password manager.

Mfa finalize 02.png

If the QR code has been scanned and a valid MFA code has been entered, subsequent login attempts will only be asked for the MFA code.

Mfa codeonly 02.png

Trusted Devices

If the device from which the login is made is trusted, the option Trust this device for 14 days. can be set. When setting this option, an additional token is stored on the end device, which is sent with the login process.

Mfa codeonly trusted device 03.png

MailStore Client, Outlook Add-In and Web Access each save their own token.

The token for MailStore Client and the Outlook Add-In is stored in the Windows credential manager. It does not move with roaming profiles.

The token for Web Access is stored in the browser's Local Storage. When Web Access is accessed in the browser's Incognito mode, the token is not persisted in between browser sessions.

Management of app passwords

Once multi-factor authentication has been enabled for a user, the normal password can no longer be used to log in with non MFA-capable clients.

Non MFA-capable clients include:

To ensure that these clients can still be used, users can create app passwords. These passwords are generated by MailStore and are characterized by increased complexity.

App passwords can only be managed via MailStore Client by users with MailStore-integrated authentication. In addition, the Change Password right is required.
App passwords work even with MFA disabled.
App passwords can never be used to login with MFA-capable clients.

  • Log on to MailStore Client.
  • From the Start Page, click Manage Passwords.
  • The context names of the app passwords created so far are listed.
    App passwords manage.png
  • Click Add to add a new app password.
    App passwords create.png
  • App password context names must be unique and cannot contain the app password.
  • Highlight a name and click Delete to delete an app password.