Yet another example of the importance of 2FA, even for MAPI, EWS, ActiveSync, IMAP, and POP3 protocols.

Suspected InfoStealer Malware Data Breach Exposed 184 Million Logins and Passwords

It's a shame that ST doesn't seem to be interested in this topic, as there hasn't even been any feedback yet.

This is yet another reason why I have to recommend MS365 to some customers.

Hi Oliver,

Thank you for highlighting the importance of MFA for MAPI, ActiveSync, IMAP and POP3, especially given DORA and NIS2 requirements. Your feedback is valued and is under review as we assess our authentication options.

Kind regards,

This has become an issue for me. I am installing new computers with windows 11 24H2 and office 2019 and 2021 versions and none will create a new Outlook classic MAPI account. I ended up having to install Windows 11 23H2 and it worked straight away.

We're currently complying with the NIS2 standard (the ACN, the Italian National Cybersecurity Agency, has named us to the list of obligated entities...), and this is a problem for us: we need MFA, otherwise we'll no longer be able to use SM because MFA (or something comparable) is a strict requirement...

And many of our customers have the same problem...

MFA is easy to circumvent.

I worked as ONE for 11 years and recently had a workshop session with aspiring cyber cadets in the danish armed forces. It took me 9 minutes and 36 seconds to gain full admin access to a random O365 account despite it using 2FA.

You need to design a solution that makes things secure and not wasting peoples time. Its a cost for the companies.
:)

Brian, you're right...

But, unfortunately, despite this, MFA is still a requirement for NIS2 compliance (or at least a comparable authentication system is needed)...

I know I can enable it on Webmail, but what if the customer wants to use MS Outlook? That will lead to losing customers to MS365...

I know I can add an additional security system (for example, we use Fortinet ZTNA...), but not all customers want to do that...

You can design a solution using obfuscation as MFA. Not going into details on a forum but users will end up in that exact place because they are allowed to be there... nowhere else.

And as 3rd level validation use SMS Passcode. Simple yet easy and cheap.

Users need to be able to read their emails wherever they are in the world... We can't restrict their global travel.

This is not a suitable solution.

Furthermore, obfuscation is NOT a security solution that can be used as an alternative to MFA.

We've already discussed this with the ACN (in Italy), and the response is that it's absolutely not compliant with NIS2...

SMS passcodes are a good idea (although SMS are actually very vulnerable to man-in-the-middle attacks and similar), but...

How can this be applied to the MS Outlook connection to SmarterMail?

I don't see anything that can do this at the moment...

Do you have a link to NIS2 where it states that you need 2FA for mail alone?

They have directives for windows Logon, RDP and VPN. I cant find anything related to mail.

The general NIS2 does not specifically state that EMAILS are required to use MFA, but it specifically strengthens the minimum security measures (Article 21) and calls for multi-factor authentication (MFA) as an essential requirement for organizations in critical sectors (Section 2(j)).

However, ACN Italy and the Italian Data Protection Authority ("Garante Privacy") have issued clarification circulars for the Italian adoption of NIS2, specifying that it is "strongly recommended" (practically almost mandatory...) to use MFA when accessing corporate data for all entities identified by ACN Italy as required to comply with NIS2, including for email access (they have clearly specified this...).

As I mentioned before, it is possible to use additional authentication layers (for example, we use Fortinet, but there are others) that can mitigate this requirement.

However, the problem arises for all those customers who DON'T have and DON'T want to use additional third-party layers and who will compare SmarterMail with MS 365:

MS 365 has MFA integrated with MS Outlook, while SmarterMail does not.

The problem, simply put and at least in Italy, is this.

Are we talking about the same here??



Is it your office365 account that requires it or outlook only? Because its the account at 365 and not outlook that has it.

And the app used for mobile email running smartermail can easily be setup using a password everytime you open it.

Multi-factor authentication is mandatory under NIS2 (current status, as it has not yet been implemented in Germany) and GDPR, at least in Germany.

German draft of NIS2 dated July 25, 2025

Chapter 2 Risk management, reporting, registration, verification, and notification obligations 

§30

Risk management measures for particularly important facilities and important facilities 

(2) Measures pursuant to paragraph 1 shall comply with the state of the art, take into account the relevant European and international standards, and be based on a cross-hazard approach. The measures must include at least the following: 

10.  Use of multi-factor authentication or continuous authentication solutions, secure voice, video, and text communication, and, where appropriate, secure emergency communication systems within the facility. 

Compliance with the requirements of the GDPR

The GDPR itself does not directly stipulate that multi-factor authentication must be used. However, Article 32(1) GDPR stipulates that a controller must implement appropriate and state-of-the-art technical and organizational measures to help protect the rights and freedoms of natural persons.

Multi-factor authentication (MFA) is an important part of DORA compliance for financial institutions in the EU. DORA, the Digital Operational Resilience Act, requires financial companies to use strong authentication to increase digital resilience and minimize cyber risks.

Whether MFA makes sense is another matter. It is now required. And the typical argument is: But it works with MS365!

I also know that this is required during audits for customers who are subject to financial market supervision in Austria, Germany, or Switzerland.

@Brian:

OUTLOOK.COM isn't MS 365.

they are two completely different things.

With MS365 professional accounts, MFA is integrated and WORKS with MS Outlook 365 (and 2019-2021-2024) and MS Outlook Mobile.

You absolutely don't need to create any app password for this.

It's integrated. And it works right away.

And this meets the requirements for NIS2. We already have a lot of customers that use it.

I'd like SmarterMail to have this kind of integration, so I could offer it to customers who have this need (which are increasing every day...)

@Oliver:

I completely agree with you, the situation here in Italy is similar.

I am not sure I am understanding the supposed requirement.

Email client A installed on USERA laptopA is currently connected to WIFI and CoffeShopB located in Paris France needs to connect to corporate server located in Los Angeles, CA, USA. Email client account is configured as a IMAP account and is configured to check for new emails every 10 minutes. 

So are you saying that NIS2 will require a 2FA process every 10 minutes, and upon every email sent, and upon ever folder sync, as those are each individual limited time TCP/IP sessions between the email client and the email server?

MFA doesn't need to be triggered on every connection; it just needs to be required by the protocol used.

In theory, if you made the first connection using MFA, it might not prompt you again as long as the stored credentials (or token) are still valid.

For example, it might prompt you because the token has expired, or because your security posture has changed (for example, in your case, the location from which you're connecting has changed).

The fact is that NIS2, in theory and as it was received in Italy and as recommended by the Italian Data Protection Authority ("Garante Privacy"), could require you to use a protocol that supports MFA in order to be compliant...

The interesting thing is that they don't say HOW it should work... Just that it should be supported AND active.

That is way beyond the scope and capabilities of email protocols such as IMAP and POP3 and SMTP. 

What would seem to work and be acceptable is that the corporate server is NOT PUBLICLY accessible. It can only be accessed through and VPN/SSLVPN connection, which could be configured to require MFA.

Yeah, you are right!

But...

- We are mainly talking about the MAPI, EAS and EWS protocols.

IMAP and POP3 may be left behind.

- MS 365 already has it (without  the need of a VPN), so some (many?) customers want it, or they will migrate...

- NIS2 doesn't care of the scope and capabilities of a protocol. It simply define a requirement to be compliant. The fact is that some mail systems already are compliant (eg: MS365... And maybe others?)

We are not speaking of what is right or not...

We are speaking a a law that set requirements and a way to deal with competitors that already are compliant with that...

So if you use outlook on terminal server that has MFA then NIS2 compliance is ok.

Mobile devices has passwords and/or fingerprints. That should count as MFA. Otherwise you can password protect a specific email app and then you should be done as well.

IMHO will MFA on the individual protocols be so annoying that it will piss the users of.

And in Denmark users are starting to migrate away from Office365 for the very same reasons. Compliance is non-existent on any SaaS platform according to GDPR and the European Data Advisory has reported that people should have a plan to get out.

Interesting read guys but my point was that i was trying to use windows 11 24h2 and doing a fresh connection to MAPI in Smartermail using Outlook 2019 and 2021 and because Windows 11 now seems to be enforcing MFA logins it would not let me authenticate the MAPI account it kept me in the security popup asking for credentials. Soon as i used a computer with 23h2 it worked perfectly.
How do we get around the O/S enforcing it..?

@Brian:

I agree with you... But I have to fight with customers who want this so they can get the same MFA (2FA) security features they also have with MS Outlook + MS 365.

What else can I do?

...right now, the only solution I have is to also "sell" MS365 when they request it...

@Karl Jones:

this post started with the idea of integrating MFA (or 2FA) into SmarterMail MAPI, EAS, EWS and/or other protocols (for MS Outlook or other software, e.g. EM Client) to be DORA and NIS2 compliant out-of-the-box.

Your problem is collateral and, in my humble opinion, a little bit off topic...

@Gabriele
I think the request was to make Smartermail MFA & 2FA compliant with MAPI, EWS and other relevant protocols while using MS Outlook and other clients, ostensibly for DORA & NIS2. My comment simply stated that If you have a client that is now going to be using Win11 24H2 then they CAN'T use Smartermail because MS Outlook in Win11 24H2 will not allow the creation of a MAPI account.
Seeing as Win10 is EOL and MS is forcing limited knowledge users into buying new computers or updating to Win11 I think it's very on topic and something Smartertools support should be aware of, if they are not already and in the topic of MFA, 2FA compliance whether for DORA, NIS2 or any other compliance ..!!

@Karl:

I'm testing it on my own PC:

It's seems to be working very welll to me...

What's your issue?

I think you should open a separate thread/ticket

for your issue. I don't think it's relevant to this thread...

To help you resolve your issue, I believe your problem lies with your MS Outlook configuration.

Try adding this registry entry and see if it helps (you can do it from the CMD command line):

reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\setup /t REG_DWORD /v DisableOffice365SimplifiedAccountCreation /d 1 /f

If this is not enough, add these too:

reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover /t REG_DWORD /v ExcludeExplicitO365Endpoint /d 1 /f

reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover /t REG_DWORD /v ExcludeHttpsRootDomain /d 1 /f

reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Preferences /t REG_DWORD /v ExcludeScpLookup /d 1 /f

If you need further assistance, don't hesitate to ask...

I'm available to connect remotely if you'd like...

@Karl again...

I have a question: are you, by any chance, trying to use the "NEW OUTLOOK" that's now offered free with the latest versions of Windows 11 (even without MS Office)?

If so, you should know that this free software is actually a replacement for the old "Windows Mail" and doesn't support MAPI or EWS. It's not a true MS Outlook, but just a "basic" program like "Windows Mail" was (well, actually it's even worse, since it's a web-app...).

The true MS Outlook (classic) that's considered for professional use is only the one included in the MS Office suites (2016, 2019, 2021, 2024, and 365), which is often referred to as "classic Outlook."

@Gabriele
Thank you for your input. This is an in house Smartermail install on a server 2012, soon to be migrated to a Linux VM. I do have the 3 entries that you suggested already on the user computers, the one i don't have is
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\setup /t REG_DWORD /v DisableOffice365SimplifiedAccountCreation /d 1 /f

I will spin up a Win11 VM and give that a try. Like you i remove all trace of the NEW Outlook (garbage) that is being automatically sent to users... I am using "Classic Outlook" 2019 and 2021 for new installs.

Since this recent install is the only Win11 24H2 i am using i have not come across this error before and as i mentioned earlier it did not occur when i used the same account on a Win11 23H2 computer. MS obviously doing something to further their agenda..!!!

Thank you again for pointing out a working install.

@Karl

These are additional registry entries that I use, but I don't know if they are related to your problem:

reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover /t REG_DWORD /v ExcludeLastKnownGoodURL  /d 1 /f

reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Options\RSS /t REG_DWORD /v Disable /d 1 /f

 

reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Preferences /t REG_DWORD /v DisableTNEF /d 1 /f

And the latest (I only use _autodiscover._tcp ...):

reg add HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover /t REG_DWORD /v ExcludeHttpsAutoDiscoverDomain /d 1 /f

In any case, I'd like to tell you that I have hundreds of users (on dozens of different domains and 4-5 separate SmarterMail servers) with the latest, super-updated versions of Windows 11 and MS Outlook, and NONE of them are having problems with MAPI accounts.

So I really think the problem lies with your environment, not Windows 11...