Back to Community Threads
Two-step Authentication for Smartermail with Active Directory accounts
Idea shared by Team Email - 6/18/2024 at 11:54 AM
Under Consideration
T
I would like to request an estimate for enabling the two-step authentication functionality for accounts created in Active Directory in SmarterMail.

Currently, I noticed that this feature is only available for locally created accounts, which limits the application of this important layer of security to accounts managed through Active Directory.

Nowadays, two-step authentication is essential to ensure the security of corporate data and information. This additional security measure is not only a best practice, but also a requirement from our partners and customers, who demand the highest standards of protection when accessing services.

The implementation of this functionality is essential and urgent, as information security is an absolute priority for our company and our partners. Having the ability to use two-step authentication for all accounts, including those in Active Directory, is a crucial step in ensuring the integrity and reliability of access to SmarterMail.

Thank you for your attention and I look forward to positive feedback regarding the possibility of enabling this feature as soon as possible.

Thank you!
T
There are requests for this going back 3+ years.  Like the OP, we have multiple clients that are looking to replace on prem Exchange in the next year and they require 2FA (financial regulations) otherwise we can't deploy SmarterMail with AD accounts.

This shouldn't be hard at all and if you don't want to build it out use DUO for one touch, just give us 2FA for AD accounts.  We pay a premium for AD integration, it shouldn't be less safe.
J
Great request. I understand the importance of this security feature and the urgency you have expressed.g
Jereming Chen Replied
7/3/2024 at 7:21 AM
Employee Post
I understand the need for 2FA integration with AD from within SmarterMail itself. The feature is in our review list for our Product Management team to look over. There are some foundation steps taken towards implementing this feature properly and securely. 

We appreciate your feedback and helping us make our products better.
Jereming Chen
Internal Network/System Administrator
SmarterTools Inc.
I’ve also had a request from an nhs client for this. So no doubt I’ll be losing this customer as I can’t supply the required 2FA.
Ask them to use a 25+ cipher password then 2FA wont be an issue.

2FA were developed to secure very unsecure passwords.
T
@Brian,

Regulations mandate 2FA, regardless of password length or complexity.  It's not an option for many companies.

Let's make the product better and conformative to regulations instead of blaming the users.
Agreed. :)
Is the "Two-Step Authentication" the same as it generates third-party passwords to use?


That may be what they are after, I'll try this next week.
T
For sure this is a mandatory feature. I had many customers asking for it. 

Many companies use 2FA as a good practice and we are not able to support them currently as we integrate with AD. 

Would be very good if this feature be delivery soon. 
P
I fully support the request to enable two-step authentication for accounts created in Active Directory within SmarterMail. 

In today's cybersecurity landscape, implementing robust security measures like two-step authentication is paramount to safeguarding sensitive corporate data. Extending this functionality to Active Directory-managed accounts not only aligns with industry best practices but also meets the stringent security requirements of our partners and customers. 

This enhancement is crucial in bolstering the overall security posture of SmarterMail, ensuring that access remains secure and reliable across all user accounts. 
T
@Ron,

That's not incomplete at all.  That's the way it should be.  SMS based 2FA is insecure.  Our company is an MSSP and I worked for/spoke for Oracle at OpenWorld for many years about cybersecurity.

If your clients are having a hard time with app based 2FA then I suggest that they use a password manager like BitWarden which can save the 2FA/passkey in the app, DUO (push based) or by using a physical key like a Yubikey.
Matt Petty Replied
7/11/2024 at 1:13 PM
Employee Post
Biggest issue is clients. Without support for non-FAANG oauth its pretty tough to integrate any of this anywhere but the web client. We use app passwords to get around this but app passwords aren't really 2 factor. I've heard whispers from one of the large client companies that this might be in the pipeline which would be amazing. Being able to pop up a window and steer people through oauth, like what you would do right now with google/microsoft. 
Matt Petty
Senior Software Developer
SmarterTools Inc.
T
@Matt,

How I see this request is for the web client only.  For clients that require 2FA on EAS, IMAP etc we either do one of two things that seems to satisfy regulators for anyone who isn't using a XOAUTH2 provider.  We use app passwords, that the user doesn't know, and deploy via MDM or we force mobile clients to use Cisco AnyConnect and block access from external sources.

Both Google and MS have the ability to use app passwords with 2FA enabled.  This is basically the approach that SM has taken.  It would be nice to see a couple more security options in SM, such as a notification if a new synchronized device is added.  The ability to revoke the 2FA generated app passwords and the ability to freeze an account from any new synchronizations.  

I think the request in this thread is specifically addressing 2FA on the web client for domain accounts.
S
The development of a two-factor authentication (2FA) feature for SmarterMail accounts utilizing Active Directory is critically important. This enhancement is essential for bolstering security and is a pressing demand from our clients.

In today's digital landscape, 2FA is a fundamental security requirement. Many clients eagerly anticipate this feature to align with best practices for securing sensitive information and maintaining compliance with industry standards.

The absence of 2FA for accounts using Active Directory is a notable gap in our offerings. Addressing this need will enhance our product's security and demonstrate our commitment to meeting our customers' evolving security needs.

Prioritizing the development and implementation of this feature ensures clients have the tools they need to protect their data and maintain trust in our services.
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Migrate SmarterMail to a Different ServerSmarterMail > Installation and Configuration
SmarterMail, LDAP, and Active DirectorySmarterMail > Server Configuration and Management
Random Active Directory (AD) LockoutsSmarterMail > Troubleshooting
Client Fails to Connect After an Active Directory Password ChangeSmarterMail > Desktop and Mobile Synchronization
How to Setup Microsoft 365 (Office) Accounts in SmarterTrack Using OAuthSmarterTrack > Installation and Configuration