Back to Community Threads
2fa - Europe - nis2
Problem reported by Sabatino - 9/24/2025 at 3:21 AM
Submitted
2FA - Europe - NIS2
Let's get ready.
In Europe, the NIS2 regulation is in place, and as time goes by, the requirements will become increasingly stringent.
Specifically, I was analyzing how SM manages 2FA for accounts, and I have a few observations to make.

Correct: When 2FA is set up for an account, complex IMAP/SMTP passwords are generated by the system...

Incorrect: If the user changes the account password, the complex IMAP/SMTP passwords are not regenerated. The user would have to do it manually. I believe this is the wrong approach, because if I change the password for security reasons (possible compromise or password expiration time limit, if set), the passwords for IMAP/SMTP services must also change.

Furthermore, as is already the case with other services (European certified email - certified email with legal validity in Europe), passwords for services must have a mandatory expiration time, as they are not linked to 2FA. In fact, a user might not change the account password since 2FA is still in place, but passwords for IMAP/SMTP services etc. cannot have an indefinite validity.
Sabatino Traini
      Chief Information Officer
Genial s.r.l. 
Martinsicuro - Italy
D
Douglas Foster Replied
9/24/2025 at 8:29 AM
Wow.  That creates a problem:  how is the user informed that his password is about to expire and needs to be changed?    Seems like he finds out after things break.
Derek Curtis Replied
9/24/2025 at 9:10 AM
Employee Post
I've forwarded this to the devs. We'll take a look at how we can improve things on the Two-Step side to accommodate these needs. I'm interested in this discussion, though.
Derek Curtis
CCO
SmarterTools Inc.
Roger Replied
9/24/2025 at 2:14 PM
Douglas, this should be done with the automated administrative notification of password expiration.

I'm not sure whether it makes sense for the password to be generated automatically or whether the minimum requirements for complexity and length should be preset separately here in order to take this use case into account and still give the user the option to change the password.
Sabatino Replied
9/24/2025 at 6:17 PM
 
If the account password is changed, the service passwords must be regenerated, otherwise the password change is incomplete since clients log in with old credentials.
This is certain.

Then we can discuss whether to set separate expiration dates for service passwords, whether to send an administrative notification about the impending expiration, etc., but the first point is essential. Changing the password for an account must necessarily mean that to log in (in any way) I must use new credentials.
Sabatino Traini
      Chief Information Officer
Genial s.r.l. 
Martinsicuro - Italy
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Setting Up Two-Factor Authentication (2FA, MFA, etc.)SmarterMail > Desktop and Mobile Synchronization
Key Feature and Version Milestones in SmarterMailSmarterMail
SmarterMail and OAuth 2.0SmarterMail > Server Configuration and Management
Virus Scanner Exceptions for SmarterMailSmarterMail > Troubleshooting
Set up SmarterMail as an IIS Site in IIS 8SmarterMail > Server Configuration and Management