How can we help?




Follow

2FA Webadmin User Guide

Stewart -

What is two-factor authentication?

Two-factor authentication (also known as 2FA) is a subset of multi-factor authentication. When enabled for a webmail account, a person will only be able to log in to the webmail part of the email platform when they present two pieces of evidence during authentication, to confirm that they are authorised to access that email account. Specifically, evidence of knowledge (something that the user, and only the user, knows - such as their username and password combination) plus evidence of possession (such as a code generated by an app on the user's smartphone). 

How does it work?

Enabling 2FA will help protect an email account. When enabled, the webmail user will be asked to enter a time-based code (in addition to their username and password) when logging in to webmail.

The 2FA code is generated by an app on their phone, tablet or computer, and changes every thirty seconds. This means that if someone was to gain unauthorised access to a user’s username and password, the unauthorised person would not be able to log in to the target account via webmail, without also having access to the secret that is used to generate the ever-changing 2FA code.

Implementation summary

2FA has been implemented in compliance with RFC 6238 “TOTP: Time-Based One-Time Password Algorithm”.

When a user enables 2FA on their webmail account, atmail generates a TOTP secret in the form of a 32-byte random string. This secret is used to generate a QR code image and verify the final TOTP token.

The TOTP secret is not viewable by administrators and is not accessible via API; it is stored in an encrypted form. The end user can only access the secret once during the setup process, when it is shared as either a QR code or in plain text.

Tokens are valid for 30 seconds, with an offset provided to cater for latency.

The webmail user will be required to download a third-party authenticator app to complete 2FA set-up and all further related actions (such as webmail login, password reset, and disabling 2FA).

While any standards-compliant 2FA authenticator app should work, we recommend, and have tested, the following apps:

mceclip0.png mceclip1.png mceclip2.png mceclip3.png mceclip4.png mceclip5.png

Google Authenticator

1Password

Twilio Authy

Last Pass

Duo Authenticator

Trusona

Known constraints

The scope of the initial implementation is limited to webmail authentication and related APIs. It is also limited to being “optional” for webmail users to enable.

The feature will be enhanced in the future (as part of the product roadmap) to introduce several enhancements, including:

  1. App-specific password generation and management to support adding email accounts to third-party email clients.
    Please note, until app-specific password support is released, users can continue to authenticate to third-party clients with their existing username and password. Atmail will release this feature addition as a configurable option, to allow you full control of change management.
  2. Support for configuring 2FA as a mandatory requirement for webmail users.
  3. Self-service recovery.
    Please note, in the event that a user loses access to the authenticator app that generates their 2FA code, they will need to contact your Support Team to recover access to their account. The steps required to override 2FA for an individual account are detailed below.
  4. Administrator user authentication and admin API functionality.

How to enable 2FA for a domain

  1. To enable 2FA for a domain, log in to your WebAdmin interface and navigate to the “Security” tab.
  2. Select “Password policy” from the left-hand menu.
  3. Select the specific domain on which you wish to enable 2FA.
  4. In the dropdown menu next to “2FA”, change the selection from “Off (Default)” to “Optional”.

    mceclip6.png

  5. Scroll to the bottom of the page and click SAVE SETTINGS.

Users will now have an option to enable 2FA for their webmail account under Webmail Settings > Accounts.

How to disable 2FA for a domain

Once enabled, 2FA can be disabled at any time. When you do so, you have two options: (1) You can allow users who have already enabled 2FA to continue to use this feature, while preventing anyone else from enabling it. (2) You can turn off 2FA for everyone.

To prevent new users from enabling 2FA

This option will ensure that users who have already enabled 2FA for their account can continue to use 2FA to log in. However, other users will not be presented with an option to enable 2FA for their account. 

  1. To prevent new users from enabling 2FA, log in to your WebAdmin interface and navigate to the “Security” tab.
  2. Select “Password policy” from the left-hand menu.
  3. Select the specific domain you wish to modify.
  4. In the dropdown menu next to “2FA”, change the selection from “Optional” to “Off (Default)”.

    mceclip7.png

  5. Scroll to the bottom of the page and click SAVE SETTINGS

Users will no longer have an option to enable 2FA for their webmail account under Webmail Settings > Accounts.

Please note, once set to “Off”, if an existing 2FA user disables 2FA on their account, they will not be able to re-enable it.

To turn 2FA off for all users

  1. To turn 2FA off for all users, log in to your WebAdmin interface and navigate to the “Security” tab.
  2. Select “Password policy” from the left-hand menu.
  3. Select the specific domain you wish to modify.
  4. In the dropdown menu next to “2FA”, change the selection from “Optional” to “Off (Default)”.
  5. Type “delete” into the input field next to “Delete user 2FA TOTP codes”.

    mceclip8.png

  6. Scroll to the bottom of the page and click SAVE SETTINGS.
  7. Click “OK” to accept the warning prompt and to continue.

    mceclip9.png

Users who have enabled 2FA for their account will no longer be prompted for a TOTP code at login. They will, however, receive a one-time notification advising them that their system administrator has turned off 2FA:

mceclip10.png

Users will no longer have an option to enable 2FA for their account in Webmail Settings.

Providing 2FA management permissions to administrative users

2FA management is supported by atmail’s customisable role-based access control (RBAC) model.

  1. To provide a user with 2FA management permissions, log in to your WebAdmin interface and navigate to the “Security” tab.
  2. Select “List roles” from the left-hand menu.
  3. Choose to create a new role (“Create sub role”) or modify an existing role, by clicking on the role name.
  4. Scroll through the list of permissions and toggle on the specific permissions you wish to assign to this role. Please note, this role will need the following permissions (at a minimum) toggled on to manage 2FA settings for a domain:
    1. passwordpolicy.view
    2. passwordpolicy.edit
    3. passwordpolicy.accounts
    4. 2fa.view
    5. 2fa.edit
  5. Assign this role as required to your admin user accounts.

How to help a user recover their account

If a user loses access to the authenticator app that generates a 2FA code on their chosen device, they will need to contact your Support Team for assistance with recovering access to their webmail account.

Please follow these steps to override that specific user’s 2FA setting:

Firstly, using your standard operating procedure, verify that you are communicating with the authorised account holder. Then follow these steps:

  1. Log in to your WebAdmin interface and navigate to the “Account Manager” tab.
  2. Select the domain that the individual’s account belongs to.
  3. Select the individual’s account from the list of accounts on that domain.
  4. Click EDIT ACCOUNT.

    mceclip11.png

  5. Type “delete” into the input field next to 2FA and click UPDATE ACCOUNT.

    mceclip12.png

  6. Click OK to confirm the action and remove 2FA from this account.

    mceclip13.png

The user will now be able to log in to their webmail account without a TOTP code, and can re-enable 2FA.

Comments


Contact our support team


+61 (7) 5357 6605       support@atmail.com