28
Two Factor Authentication for SmarterMail - when?
Idea shared by Webio - November 7, 2014 at 3:36 AM
Planned
Hello,
 
when we can expect to have two factor authentication for SmarterMail?
 
Regards

24 Replies

Reply to Thread
1
Bruce Barnes Replied
November 7, 2014 at 5:49 AM
Two-factor authentication would be a very nice touch. The capability to send a text message, with a 6 digit auth code, or interface with an external service would really help tighten security.
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
1
Bruce Barnes Replied
November 7, 2014 at 6:16 AM
Most of my customers are well versed with the PayPal txt message model and would prefer that to an external token or device.
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
1
Bruce Barnes Replied
November 7, 2014 at 8:29 AM
SMS is now free, for the most part, with plans in the US and is the bulk of two-factor authentication for hospital networks, PayPal and many other online financial services.  It is also used extensively by FaceBook and LinkedIN
 
Everyone has their cell phones with them all the time and would be a very convenient two-factor method to integrate.
 
Tokens get lost and cost extra money.  They also get left on desks in workstations, put in drawers, and left in pants and shirt pockets.
 
Your own example at: https://www.whmcs.com/, shows the use of SMS / text messaging and a cell phone and shows how densely it is implemented.
 
See the graphic of users on the pagehttps://www.whmcs.com/features/
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
3
Joseph Rebis Replied
November 7, 2014 at 8:51 AM
I totally agree this should be optionally implemented using Google Authenticator which I have recently been using for WHMCS. It works great and is easy to setup- cheap.
 
For that matter, reporting that last X IPs to access your webmail or POP/IMAP your account would be a nice feature too- if we're talking about security.
4
Bruce Barnes Replied
November 7, 2014 at 12:50 PM
There's no reason to introduce a paid add-on for two-factor authentication.
 
This code can easily be added to the login process, generate a single use SMS response code, which is sent to the user's phone mobile device, which, upon a proper response by the user, allows the users web based login to proceed.
 
The addition of the new password settings, along with strong passwords, and the use of password brute force, along with SMTP harvesting, provide great tools to protect the logins from mobile devices and clients like Outlook.
 
The are three other ELECTIVE enhancements I would like to see, in addition to SMS, or 3rd party, two-factor authentication:
 
  • the ability to exclude all words in the dictionary [a US CERT recommendation for password compliance];
  • the complete exclusion of the username in any password.
    • Right now, if the username is john@domain.tld, and the user inserts john in the password, and require password does not match username is checked, the password will not be accepted.  As soon as another character, letter, or number, is added to the username, the password becomes a valid password, and;
  • the ability to exclude the use of the same character more than X times in a row[.
The security of e-mail is of the highest importance.  E-mail is usually the primary key for all of a user's financial records, online tax filing, eBay, PayPal, FaceBook, LinkedIN, Microsoft, and almost every aspect of a user's login world.
 
If a user's e-mail account can be compromised, then the hacker who has gained access to that account can quickly change their password and attempt to hack their financial and social media accounts.
 
SUMMARY: add the following capabilities to the improved password management found in SmarterMail 13.X:
 
  • two-factor authentication, using SMS, via built-in code and SMS code transmittal, with the option of using other options and/or 3rd party add-ons;
  • completely exclude the use of the username or domain portion of a user's e-mail address from being used in the password;
  • the ability to exclude all words in the dictionary - it's far too easy to run dictionary attacks on passwords and takes only a few hours to run through an entire dictionary where a multi-honed attack is mounted and the mail server is sitting on a fast circuit;
  • allow the ability to restrict the use of the same character X times in a row, IE: if the trigger is 3 in a row, then disallow the use of any character 3 times in a row in any password,
 
 
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
1
Joseph Rebis Replied
November 7, 2014 at 1:39 PM
Amen-- Bruce, all good ideas. This could be easily done with a little RegEx aside from the dictionary thing. I think Google Authentication would be better than SMS but it would be nice if customer's could choose either method. 
1
Bruce Barnes Replied
November 7, 2014 at 6:12 PM
While the tendency in these threads is to use Google Authentication, every site I have gone, which now allows two-factor authentication, uses SMS.  
 
Chase now enforces a 7 character SMS password before you can login from a new device; using a browser they don't recognize; or when you've cleared your browser's cache.  Because all of my browsers are set to clear both their history and cache every time I close them, I have to wait a second to receive the code and enter it to login to my Chase account.  It's a five-second code.  If you wait more than 5 seconds, or enter it wrong and take too long to re-enter it, you must request a new code.  They also give the option to receive the code via e-mail or via automated voice prompt, but only to verified telephone lines, already associated with your account.  If you don't have access to that data, you can still access your account by entering a full credit card number, expiration date, and one of your security questions.
 
Here's a great article, published in Huff Post Business, that boils the necessity for two-factor authentication down to laymen's terms: 

"Certain websites included in phishing emails successfully lure users up to 45 percent of the time, according to the study, which came out on Thursday. Once on the bogus pages -- which tend to imitate legitimate sites, like Google itself, in an effort to obtain people's private details -- 14 percent of people unwittingly submit their information to hackers. Researchers said the percentage of people who get tricked was "much higher" than they expected."

The report goes on to say: "
Once a hacker is able to access someone's account, they spend an average of three minutes figuring out how much it's worth, and will apparently move on if the account doesn't seem valuable enough. According to the study, hackers use Gmail's own search function to figure out if an account is worth their time, looking for terms like "wire transfer" and "bank."
 
What happens next probably won't surprise you: The hacker tries try to get money from an account's contact list. They send emails to the person's friends, family and colleagues with fake stories like "we were mugged last night in an alley" in the hopes of getting them to send cash.
 
Google's advice for staying safe? Enable two-step verification on your email account, and report any suspicious emails instead of responding to them. And if you suspect your account has been compromised -- maybe because you've belatedly realized that something seemed off about the website you visited, or because a friend has asked you about the weird email they just got from your address -- you should work as quickly as possible to regain control. Twenty percent of hackers access compromised accounts within 30 minutes of getting their credentials, the study says."
 
The complete Huff Post Business article is available at: http://www.huffingtonpost.com/2014/11/07/phishing-scams_n_6116988.html
 
The original Google report is available from Google's Online Security Blog at: 

http://googleonlinesecurity.blogspot.com/2014/11/behind-enemy-lines-in-our-war-against.html
 
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
2
Tim Johnston Replied
November 18, 2014 at 2:22 PM
Somewhat security related, it would also be nice to optionally enforce CAPTCHA on the web interface - I know it's of little defense against brute forcing via the other protocols, but it does generally defeat script kiddies brute forcing a forms based web page...Just a thought...

TJ
1
Paul Blank Replied
December 18, 2014 at 5:07 AM
Regarding email security: What google gives with one hand, it takes away with the other:  If you use gmail from a browser, there's currently a checkbox on the login screen that says "stay signed in" and is checked BY DEFAULT.  You must uncheck this before sign-in if you don't want the gmail login to be persistent.
 
This means that in most cases (because browser cookies are typically turned on), if you close the browser tab or browser without logging out of gmail, you will still be in gmail when gmail is launched again from the browser, even if the browser and computer are shut down and re-started. It's even possible that your activities are still tracked by google while the browser is open, even if gmail (or another google page) is not launched.  I have, on more than one occasion, allowed someone to use my computer, only to find, when opening gmail, that I have full (and un-desired!) access to their account.
 
Since many people use gmail as their default email client, this represents a potentially serious security breach. Without two-factor authentication, access to gmail gives a potential hacker the ability to change passwords for other accounts (but see the last para for a potential glitch, even with two-factor).
 
And the button to logout is buried inside at least one additional click. Unfortunately, this behavior is common for many other highly popular web portals, such as ebay, amazon, yahoo and facebook. They know that making it more difficult to log off allows them greater opportunity to track your online movement (Glad to say that SM's logout link is precisely where it belongs, at top-right of screen).
 
I am "pointing the finger" at google in this case because they claim to be at the forefront regarding Internet security. But that automatic "stay signed in" is pretty worrisome IMO.
 
Of course, if someone with bad intent gets a hold of your smartphone, and there's no PIN lock, and your email client(s) is/are wide open, AND you use SMS authentication for something, you might just be screwed.
 
There oughtta be a law.... 
 
2
Robert Emmett Replied
January 14, 2015 at 8:43 AM
Employee Post
I want to thank everyone for the discussion on two-factor authentication.  At this time, I am adding this to our features request list for further consideration by the dev. team.  We will discuss the various methods of two-factor authentication mentioned above.
Robert Emmett
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
Joseph Rebis Replied
January 25, 2015 at 10:38 AM
Two-factor would be great, but unless we can keep SM from logging people out all the time, people are not going to like having to type in the authentication code all the time- once, twice a day okay but many times won't be accepted.
0
Bruce Barnes Replied
January 25, 2015 at 1:23 PM
@Paul Blank:
 
While I understand your desire to have the ability for users, especially in offices, to NOT have to do double authentication, the HITECH portion of HIPAA, now mandates the EVERY logout, whether elective, or enforced for time-out reasons, must use the full authentication protocol for every login.
 
If the user has elected to lock their workstation, then a standard login can be used - with the second factor, to unlock the device.
 
However, if an EHR, or another program like SmarterMail, running under a locked screen, on a user's computer, or web enabled device, has auto-logged the user out, because of a time-out.  This is a separate action from the computer, workstation, or terminal device, and is not covered under the security policy established for the overall network login.
 
Additionally, for all HITECH covered properties under HIPAA, we must now keep LOGS of all actions performed:
 
  • the logs must be kept in a, SEARCHABLE, READ ONLY format, accessible by only those named in HIPAA/HITECH/NETWORK document management policy and then ONLY by those persons who are either authorized employees, or outsourced employees who have a current, annually renewable, letter of agency on file - individually signed.  (As of March, 2014, every employee for every agency, colocation hosting group, support group, etc, must have an individually signed letter, whether they have access to the actual customer data or not.  If they are an employee, then they must sign a letter of agency with their employer, and a copy of that letter must be on-file, with the customer who's network they may have the potential to work on, whether remotely or on-sight.
     
  • who logged in, at what device, using what username, on what date, and at what time, including minute and second.  We must also know what programs or documents, covered under HIPAA they looked at (even if they just opened and closed them); if they modified them; if they printed them; if they converted them to a PDF; and if they e-mailed or shared them - via any other manner, and to WHOM they were shared.  If they were printed, we must log what printer was used.  Those logs must also include the DATE and TIME.
     
  • when accessing data within any EHR (electronic healthcare record) system, the logged in individual's action, must also record, within the EHR system, the following data:
     
    • the username, login, and IP address(es), along with the date and time, of the workstation from which they are logged in; 
    • the FQDN, from ACTIVE DIRECTORY, of the network to which they are attached; the username, date and time of the login to the EHR software; a complete record of every screen accessed by the user who is logged into the EHR system, while within the EHR system;
    • the patient record number/name of every patient looked up within the EHR system, while logged in;
    • what patient record screens are looked at; what data is accessed, modified, changed, or otherwise accessed, along with date and timestamps;
    • a record of any data added, changed, modified, exported (including file name and path), with date and time;
    • a log of any data e-mailed to a co-worker, another medical facility, doctor, hospital, patient, etc, including date and timestamp, along with the SMTP server used, a record of the software type, whether built-into the EHR system or via an external SMTP service or program;
    • and a record of the date and time of the logout from the EHR system.

       
  •  in the case of SmarterMail, we must require extremely strong passwords, setting a minimum length of 12 characters.  We require upper and lower case letters, numbers, and special characters.  We do not allow the inclusion of any portion of the username, or the domain name, and are taking advantage of the new "disallowed words" table to augment some of that information so the user can automatically change their passwords.   NOTE:  We have filed a letter of opinion to the forced password change table, presenting the fact that the use of a strong password, or passphrase, which is extremely secure, and easily remembered by the user, is much more secure than shorter passwords which must be changed every 30 to 45 days, and causing distress for both end-users and support desk personnel.
     
  • We must archive all of the IIS logs, associated with any web, REMOTE DESKTOP EHR access, remote server maintenance access, SmarterMail web access.
     
  • We must archive all POP, IMAP, SMTP CALDAV/WEBDAV, and ActiveSync logs.
     
  • All of the above referenced logs, whether network, EHR software, or SmarterMail, must be ARCHIVED for a period of 60 months.
     
  • We have disabled all PLAIN TEXT logins, enabling TLS only security - enforcing TLS, point-to-point security through SmarterMail connections.
     
  • If we receive a LEGAL or INSURANCE inquiry, we must STOP THE ARCHIVE CLOCK on all of the LOGS for the patient's medical records which were accessed by any of the following:
     
    • employees,
    • medical providers,
    • imaging department;
    • billing department;
    • IT support department,
    • any outside consulting group,
    • all management and accounting staff,
    • anyone within the general office staff, whether they have access to the EHR system or not;
    • anyone else who may have accessed the network, EHR, SmarterMail system, or any other portion of the data stored on the network;

       
  • The STOPED LOG CLOCK, initially based on the initial END DATE of the archive of all of the data: network, e-mail, EHR, document, or any other aspect of that data, must remain stopped and locked, until there is an outstanding resolution on the inquiry received. 
     
  • In the case of a legal inquiry, this means that the STOPPED CLOCK remains frozen until all inquiries, court cases, discoveries, verdicts, settlements, agreements, or appeals, and associated appeals actions, have been completely settled, at which time the RETENTION CLOCK starts all over at ZERO, and the LOG records must be retained for another 60 months for all documents associated with the inquiry. 
 
I only bring up this incredible detail because Paul Blank, myself, and several others, both within this post, and via other posts, have all related that e-mail, network, and other security, is not a simple issue.
 
The HITECH portion of HIPAA has, for the last 7 years (or more), mandated that IN SERVICE EDUCATION and TRAINING  be provided for NETWORK, EHR, E-MAIL, and general Web and Internet security, be conducted at least once a year. 
 
The HITECH portion of HIPAA has also mandated that an ACCEPTABLE USE POLICY, for Internet, Network E-Mail, and EHR, be developed, and regularly kept up to date.  Prior to a couple of years ago, this was not required to be part of the IN SERVICE / EDUCATION program with the healthcare organization.
 
Prior to December, 2014, conducting of regular IN SERVICES / EDUCATIONS was not always a normal procedure in most environments.
 
OCR, the Federal Agency which regularly conducts Meaningful Use audits, has now notified all healthcare agencies, that they would be allowed to skate on security procedures or regular educational in services for all medical personal, and would begin to take serious actions against any healthcare group, hospital or agency who was not in complete compliance. 
 
They made a couple of examples, and have begun, in earnest, to become more aggressive, in their meaningful use and HITECH audits during the last few weeks.
 
If we are going to provide e-mail services, via SmarterMail, to any of those agencies, or groups, from the smallest Doctor's office or neighborhood not-for-profit healthcare group, to the largest hospital or research university, then we need to work with SmarterTools to ensure the preparedness of the SmarterTools family of products via shared communications and ideas.
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
1
Colin M Replied
February 24, 2015 at 10:53 AM
+1, 2FA is the way of the future and email is definitely important enough to make this a requirement for a lot of companies. I wouldn't be surprised to see this become a PCI requirement in the coming years. Unfortunately there is no support in email clients for IMAP/POP/SMTP so these should use  "Application-Specific Passwords" like Google does it..
 
As far as Google Auth vs SMS vs email-to-SMS gateways I would suggest Google Auth *and* SMS via Twilio be supported. This way a free/simple solution is included out of the box and for users that want SMS they can sign up for Twilio and enter an API key.
1
jorge.mx.neto Replied
July 22, 2015 at 1:31 PM
Add one more vote for the Two Factor Authentication.
1
Scarab Replied
July 22, 2015 at 2:18 PM
As with other similar threads, I support this idea 100%...with one caveat:
 
Two-Factor Authentication must be a per-User opt-in (check box to enable in the General Settings for each user).
 
As odd as it may sound, not everyone has a smartphone and not everyone wants one...and even those that have one may not necessarily want to use 2FA as much as we Admins may want them to. It has to be an available security option, not a mandatory one. 
1
Bruce Barnes Replied
July 22, 2015 at 6:52 PM
Scarab: two-factor authentication also needs to be able to be mandatory for an entire domain, depending on cotractual requirements and applicable security regulations. I have several healthcare and legal organizations who would l9ve to implimented this on a domain - wide basis.
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Howell Dell Replied
August 1, 2015 at 5:34 PM
+1 for 2FA!
+1 for Google Auth 2FA Support with on screen QR Code Scanning by APP!
+1 for per machine passwords like Google!
+1 for eMailed one-time-passwords instead of Google Auth!
+1 for Twilio for Voice and SMS notifications!
 
Twilio is low cost but NOT free! SmarterMail should be able to get lower prices as they could aggregate the billing to save us end users money and for SmarterMail to make a reasonable profit! In addition, we would need counters to track Twillio notifications by type by user so that anyone can choose how to charge the end customer for this add-on service!
 
On the issue of 2FA settings for per user or per domain; SmarterMail already has this one solved in the UI! Like many options the SmarterMail Admin decides on the global settings to allow 2FA or Not by adding it to the feature list of a domain! This feature can be globally on or off!
 
Then the Domain Admin, just like the feature folder-auto-clean, the Domain Admin can opt out if allowed by the SmarterMail Admin and then decide which users get 2FA or not! You would have some of the opt in/out settings in the Domain Edit panel with a tab called 2FA?
 
Reuse the SmarterMail paradigm we already have in place!
 
In this way we provide for both Bruce's and Colin's requirements -- SmarterMail Domains are NOT a one size fits all!
 
 
1
Howell Dell Replied
December 15, 2015 at 10:50 AM
Amazon recently added support for Google Style 2FA using Google Authentication or you favorite TOT/HOTP Auth App like Yubico, or Authy. Any ideas when this comes to SmarterTools! Don't forget we need machine passwords to be assigned to devices with long passwords that have 80 bit strength or about 20 characters (see www.wikipedia.org/wiki/Password_strength for details).
1
Adrian Correia Replied
December 16, 2015 at 4:30 AM
Add one more vote for the Two Factor Authentication.
0
Thomas Odermatt Replied
March 29, 2016 at 8:35 AM
Integration with https://duo.com/
1
Davin Smyth Replied
June 21, 2016 at 9:10 AM
+1 for 2-factor authentication/verification - would love to use our yubico's with smartermail or google authenticator application
Smarter Mail v13.3
1
Howell Dell Replied
June 21, 2016 at 10:41 AM
+1 for 2-factor authentication/verification - would like to use Google Authenticator with SmarterMail!
0
Mostafa Arabameri Replied
November 18, 2016 at 10:14 PM
hi everyone 
it's simple to make an option for tow factor authentication and give it to the end user ,if they want to use that just enable it in setting , and today it's simple to active this option on any software (any platforms) just search "Google Authenticator" no need SMS or more thing . just mobile app and then finish 
 
1
Andrea Rogers Replied
January 20 at 3:04 PM
Employee Post
Hi everyone,
 
Thank you all for your feedback on this thread! We appreciate you taking the time to provide your input and thoughts on this functionality. We've had many discussions -- both internally and here in the Community -- about security improvements that can be made within the product, and I'm happy to report that 2-Factor Authentication is planned for a future version of SmarterMail! 
 
Though I don't yet have details regarding when this will be implemented or the type of authentication we'll use, I wanted to make it known that this WILL be coming to SmarterMail, along with many other security improvements and fixes. 
 
Thank you again for your participation, and stay tuned! 
Andrea Rogers
Communications Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com

Reply to Thread