2
We need SMS for 2FA Please make this happen If super important in the auto industry
Idea shared by Marc Frega - 9/8/2022 at 6:21 PM
Proposed

all my clients are requesting we have SMS text 2fa.


SMS 2FA is a type of authentication often used next to the standard password during Two-Factor Authentication (2FA) or Multi-Factor Authentication (MFA). SMS 2FA involves sending a short one-time password (OTP) to the user via text message.
This is a super important feature that my clients are requesting for familiarity and ease of use. 
Insurance and safe harbor laws and trade commission laws are forcing compliance in several industries using the safe harbor peices of legislation.
I have a large install underway and about 1500 users begging me to make this happen.
What does everyone else do about this. Shouldnt 2fa via text be doable?   is this what others want?

17 Replies

Reply to Thread
1
Most cell phone number texting can be reached via email using <phonenumber>@<carrierdomain>.   One of SmarterMail's options for 2FA is to use the recovery email address.   It seems like this should suffice.

Alternatives for the long haul
DUO and WikidSystems are two products that offload the 2FA function, for a monthly cost per user.  DUO is probably the industry leader because it supports an abundance of 2FA communication methods (cell phone app, phone call, text message, maybe more.)     These solutions would require SmarterMail to be able to call a RADIUS (or TACACS+) server for authentication, instead of just Active Directory.  Because many organizations and users will want to minimize the number of 2FA solutions that users must learn and configure, integrating via RADIUS is probably a better approach than building their own implementation.

0
It would be a nightmare from an administrative side to do the carrier text option.

im talking just being able to text a code to someone. its gotta be doable. I use hundreds of products that do it.  How is no one else needing this?
1
You underestimate the infrastructure required.   You need an SMS gateway vendor, and an SMS submission software product.   We use ActiveXperts SMS Messaging (https://www.activexperts.com/sms-server/) for the product and CDyne (https://cdyne.com/) for our gateway vendor.   

SmarterMail is not a cloud product, so the cost of these components will fall on you.    Are you willing to absorb these costs, and does SmarterMail have enough clients willing to buy a compatible infrastructure for this to be a viable solution?   I am doubtful.

In the short term, your available solution is email-to-SMS.   I don't see the horrid complexity of this approach, but no need to argue.   The long-term solution remains RADIUS and DUO, because that is probably what your auto industry clients are using for their other 2FA implementations.
1
ST could just let the community work for them. Make the 2FA system extensible. Let the devs out here write their own 2fa plugins. We use SMS 2fa on other systems that we’ve custom developed for using RingCentral. They handle everything for us, we simply send the required API request.
0
Your topic motivated me to document some design issues related to 2FA, which I have provided in a separate post.
1
Tim Uzzanti Replied
Employee Post
We could provide it, but It would need to use a third party service that you would need to subscribe to which had the ability for SMS approvals.  Would you pay for a such a service?  If so, which one?
Tim Uzzanti
CEO
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Twilio
2
Tim Uzzanti Replied
Employee Post
Although they just laid off 11% of their workforce today!
Tim Uzzanti
CEO
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Twilio is nice, we use RingCentral (as they also do our phone services) for our billing/control panel systems SMS-based 2FA.
1
If you integrate with the top 5 I think we will have a win.
1
Tim. I would need more information on the cost benefit. Right now my clients are just considering Gmail instead. Right now there is no option regardless of cost so they must consider others.
0
From Tim's response, I wouldn't rely on this to be developed anytime soon. 

Why they don't put it at the top of their list is baffling to me. 

Any software (that takes security seriously) offers 2FA with SMS or Authentication App.

Ron
0
Tim Uzzanti Replied
Employee Post
Any customer who wants to be treated seriously would post differently.  Especially after the CEO asks for information.
Tim Uzzanti
CEO
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Alas, 2FA is becoming / has become a necessity for many. Everyone's a target these days. Nobody loves it but the risks grow daily, so the writing's on the wall.

My clients are doing without for now, but it's just a matter of time. And FYI these comments are not aimed specifically at ST.

As an admin, I use it wherever I can. 

So... just sayin' 
0
Paul, I had responded to several other 2FA threads I found. That is what Tim was responding to.

Please add SMS 2FA to SmarterMail as we need this for public safety, including firefighters, EMTs, and police officers.

We need this to keep our first responders protected. 

Ron
1
Keep in mind that we already have two different options for 2FA, and email-to-SMS provides a supplement to the second option.

My suggestions for product development:
Differentials based on internal or external connections.   Internal could be detected based on private IP or explicitly specified IP range(s).
- Option 1:  Allow domain admin to specify that 2FA is not required for internal connections.
- Option 2:  Independently specify Webmail, EAS, EWS, and MAPI are allowed from external connections.

To support additional 2FA technologies, the most important feature is to implement a RADIUS client.   I think you will find most 2FA products support that connection method.   Microsoft NPS implements a RADIUS server which provides an option for testing.

TACACS+ is reportedly more secure, but seems less widely used.    Supporting it would be desirable.

LDAP is a third option, but seems least commonly used for 2FA

WIKIDSYSTEMS.COM has detailed step-by-step instructions for configuring there 2FA solution with many products.   It is a good example of what good documentation can be like, and it will simplify efforts to integrate with them.

DUO.COM is another product that I have mentioned and admire.

I believe both Wikidsystems.com and Duo.com have limited-use free versions that will allow developers to perform integration testing without laying out cash to the vendor.

I have no experience with Twilio.  Perhaps an existng user can confirm whether they use RADIUS, TACACS+, LDAP, or something else.

0
BTW I maintain domain names for myself and my clients on enom.com. They have pseudo-3FA on browser access:

Login + Authenticator + 2 challenge questions (counts as ~1F)

Besides that enom had a major systems meltdown when upgrading their servers many months ago, they've been very good since. Indeed, their service has even improved.

Reply to Thread