Setting Up Two-Step Authentication (2FA, MFA, etc.)

SmarterMail > Desktop and Mobile Synchronization
SmarterMail offers users the ability to utilize Two-Step Authentication — also known as two factor authentication (2FA), multi-factor authentication (MFA), and others — as an added layer of security for their log ins. This feature may or may not be enabled by default for a domain by the system administrator. If it is NOT enabled by default by the system administrator, users can self-manage their Two-Step enrollment. However, domain administrators can force the use of Two-Step for all users of the domain. Then, users will need to set it up by logging in to their accounts via webmail. 

Put simply, Two-Step Authentication sits beside the standard username/password login that most users are familiar with. When the user logs into their account they’re asked for a secondary method of authentication by entering a code either sent to their recovery email address or one generated using an authentication app, such as Google Authenticator. 

User Settings for Two-Step Authentication
Users have the ability to self-manage their Two-Step Authentication as long as it's not being enforced at the domain level. Setting it up is very simple:
  1. First, log in to your account via webmail.
  2. Next, go to Settings > Account.
  3. Look for the Two-Step Authentication card. 
  4. Click Enable. When you do so, the following modal window opens and presents your options: Authenticator App or Recovery Email Address.
  5. Select the option you want to use. (For Authenticator App, virtually any app can be used, including Google Authenticator, Authy, Microsoft Authenticator, etc.)
  6. Regardless of method, you'll want to add in a Recovery Address
  7. Click the Next button.
  8. If you selected Authenticator App, you'll open that app and scan the QR Code that's presented, then finish up the set up process. If you selected Recovery Email Address, an email is sent to that address for verification. (NOTE: That email is sent from the SmarterMail System, so be sure to check any Junk/Spam folders if you don't see the email in your Inbox.)
  9. Once you've completed the steps above, you'll see a new card in your Account settings. This card shows you that Two-Step is enabled for your account, and provides you with app passwords that can be used when setting up your account in a mobile or desktop client (see below). Simply click on the eye icon to display the password(s).

Forcing Two-Step Authentication for Domain Administrators
Domain administrators can enable Two-Step Authentication for users very easily by “forcing” the use of Two-Step Authentication. However, it must be noted that forcing the use of Two-Step means it affects all users of the domain. If a domain administrator wants to allow individual users to manage their own Two-Step enrollment, they will be able to as long as it’s not “forced” on all users. To force the use of Two-Step Authentication on all users of the domain, do the following:
  1. Log in as a domain administrator.
  2. Click on Settings and select Domain Settings from the dropdown.
  3. Select General from the left menu.
  4. On the User Options card, enable Force two-step authentication
  5. Be sure to Save the changes.
Once this is enabled, each user will need to log in to webmail and set up Two-Step Authentication for their accounts. This entails ensuring there’s a recovery email address associated to their account — ideally, an address NOT associated to the domain they’re logging into — and then choosing whether to authenticate using that recovery address or an authentication app. They can then step through the authentication process using the method they’ve chosen.

Two-Step Authentication and Email Clients
Once Two-Step Authentication is set up for a user, they will need to re-log in to any email clients they’re using. SmarterMail generates “application passwords” for any user that has Two-Step enabled, and it will generate strong passwords for various protocols. For example, strong passwords are created for use with clients that support IMAP/POP/SMTP, MAPI & EWS, WebDAV, LDAP, and XMPP (chat). These passwords can be used for various clients and do not need to be changed. (However, they can be “refreshed” to generate a new password, if needed.) This means that the same MAPI & EWS app password, for example, can be used for both Microsoft Outlook and eM Client, our Outlook for Windows and Outlook for Mac. 
 
 
Article ID: 3625, , Modified: 9/17/2025 at 9:31 AM

Feedback

how to disable 2fa for all users?
randy bell (3/27/2024 at 8:30 PM)
Hi, Randy

The domain administrator can disable it, simply reversing the steps in "Enabling Two-Step Authentication". However, if the system administrator has forced it and does not allow domain administrators to change that, then you'd need to talk to the system administrator.
Derek Curtis (3/28/2024 at 8:06 AM)

Was this article helpful?

Share this article
Bluesky
Facebook
Threads
X / Twitter
Other Social Networks
Print