Configuring a 2-Step Authentication Profile

Document created by user.oxriBaJeN4 Employee on Feb 22, 2016Last modified by user.Yo2IBgvWqr on Apr 30, 2018
Version 25Show Document
  • View in full screen mode

This guide describes how 2-Step Authentication, sometimes known as two factor authentication, can be configured for your users. Doing so adds an additional layer of security to prevent unauthorized access to Mimecast applications.

 

To configure 2-Step Authentication, you must first configure an authentication profile. This controls the authentication required to access the various Mimecast applications. Once configured, the authentication profile must be added to an Application Setting. This assigns the authentication profile to a specific group of users. You can create more than one authentication profile to give you the flexibility to:

  • Apply a profile to a specific group of users (e.g. administrators, power users).
  • Enable / disable the feature easily.
If both 2-step authentication, and enforce SAML authentication enabled in the same profile, SAML takes preference. In this case the user should authenticate with the identity provider defined in the profile. See the Understanding Enforce SAML Authentication for End User Applications page for further information.

Prerequisites

 

The prerequisites required for 2-Step Authentication depend on the method you choose to deliver / generate one-time verification codes.

 

Email

 

Email can be used for 2-Step Authentication by all customers. The following prerequisites must be in place:

  • We must be able to route email to the user's primary email address.
  • The user must be able to receive the email containing the one-time verification code.

 

SMS

 

SMS can be used for 2-Step Authentication by all customers. 

 

To implement SMS for 2-Step Authentication:

  • A single Mimecast attribute must be used for the cell phone number assigned to users.
  • Cell phone numbers must be in the full international format (e.g. +<country code><cell phone number>).
  • Users configured to use 2-Step Authentication with SMS should have a mobile phone number assigned. The number can be: 
    • Registered by the administrator in the Administration Console using attributes.
    • Registered by the user after they have successfully entered their password in the application's login page. See the Accessing Mimecast with 2-Step Authentication page for more information.
If the SMS option is enabled, any users with a mobile phone number assigned in an incorrect format will not be able to log on to Mimecast applications.

Setting SMS Attributes

 

To set SMS attributes:

  1. Log on to the Administration Console.
  2. Click on the Administration toolbar button. A menu drop down is displayed.
  3. Click on the Services | SMS Dashboard menu item.
    You can also see the defined attribute in the System Notification Options section of the Administration | Account | Account Settings menu item.
  4. Click on the Change Attribute button.
  5. Click on the Lookup button to select and confirm the required attribute.
  6. Click on the Save and Exit button.

3rd Party Application

 

A 3rd party application can be used for 2-step authentication by all customers. This allows the application to generate one-time verification codes. The 3rd party application used must be compatible with the Time-based One-Time Password algorithm (TOTP). Known compatible 3rd party applications are listed below in no particular order. We have no preference or affiliation with any of these applications.

  • Microsoft Authenticator
  • LastPass Authenticator
  • Duo Mobile
  • FortiToken Mobile
  • Okta Verify
  • Google Authenticator
  • Symantec VIP Access

To avoid issues during the registration process, we recommend that you:

  • Inform your users before enabling this feature.
  • Decide and deploy the 3rd party application users should use.
  • Ensure that your users are familiar with the process of registering an account with the chosen 3rd party application.

To use a 3rd party application as a 2-step authentication method:

  • The device on which the TOTP compatible application is installed must be trusted.
  • The trusted device (e.g. smartphone, tablet) must be with the user at all times.
If you have an Office 365 exchange, you can visit the Set Up 2-Step Verification and Create an App Password pages on the Microsoft site for more information on enabling 2-step authentication.

Configuring a 2-Step Authentication Profile

 

To configure a 2-Step Authentication profile:

  1. Log on to the Administration Console.
  2. Click on the Administration toolbar menu item.
  3. Click on the Services | Applications menu item.
  4. Click on the Authentication Profiles button.
  5. Either:
    • Select an existing Authentication Profile to change it.
    • Click the New Authentication Profile button to create a new one.
  6. The Authentication Profile dialog is displayed.
  7. Select the option you would like to enforce 2-Step Authentication from the drop down list. 
  8. Complete the following optional fields / options as required:
    Field / OptionDescription
    Permitted Application Login IP Ranges

    If selected, you can specify the trusted IP ranges that are allowed for end user access. Enter a list of IP addresses (one per line) in the "Application Login IP Ranges" field. Don't prefix the IP address with CIDR, and don't include leading zeros in IP address octet numbers.

    Gateway Login IP Ranges

    If selected, you can specify the trusted IP ranges that are allowed for SMTP and POP authentication attempts. Enter a list of IP addresses (one per line) in the "Gateway Login IP Ranges" field. Don't prefix the IP address with CIDR, and don't include leading zeros in IP address octet numbers.

  9. Click the Save and Exit button to save the record and return to the list of Authentication Profiles.

 

See Also:

 

3 people found this helpful

Attachments

    Outcomes