Setting Up Two-Step Authentication (2FA, MFA, etc.)

SmarterMail offers users the ability to utilize two-step authentication — also known as two factor authentication (2FA), multi-factor authentication (MFA), and others — as an added layer of security for their log ins. This feature may or may not be enabled by default for a domain by the system administrator, and if it is NOT enabled by default, domain administrators can enable it themselves. Then, users will need to set it up by logging in to their accounts via webmail. 

Put simply, Two-Step Authentication sits beside the standard username/password login that most users are familiar with. When the user logs into their account they’re asked for a secondary method of authentication by entering a code either sent to their recovery email address or one generated using an authentication app, such as Google Authenticator. 

Enabling Two-Step Authentication

Domain administrators can enable Two-Step Authentication for their users very easily. However, it must be noted that it affects all users of the domain: it can not be enabled on a user-by-user basis. To do this, do the following:
  1. Log in as a domain administrator.
  2. Click on Settings and select Domain Settings from the dropdown.
  3. Select General from the left menu.
  4. On the User Options card, enable Force two-step authentication
  5. Be sure to Save the changes.
Once this is enabled, each user will need to log in to webmail and set up Two-Step Authentication for their accounts. This entails ensuring there’s a recovery email address associated to their account — ideally, an address NOT associated to the domain they’re logging into — and then choosing whether to authenticate using that recovery address or an authentication app. They can then step through the authentication process using the method they’ve chosen.

Two-Step Authentication and Email Clients

Once Two-Step Authentication is set up for a user, they will need to re-log in to any email clients they’re using. SmarterMail generates “application passwords” for any user that has Two-Step enabled, and it will generate strong passwords for various protocols that are available. For example, strong passwords are created for use with EAS (mobile) clients, IMAP/POP/SMTP, MAPI & EWS, etc. These passwords can be used for various clients and do not need to be changed. (However, they can be “refreshed” and a new password is generated.) So, a customer can use the same MAPI & EWS strong password for both Microsoft Outlook and eM Client.