This guide describes how 2-Step Authentication, sometimes known as two factor authentication, can be configured for your users. Doing so adds an additional layer of security to prevent unauthorized access to Mimecast applications.
To configure 2-Step Authentication, you must first configure an authentication profile. This controls the authentication required to access the various Mimecast applications. Once configured, the authentication profile must be added to an Application Setting. This assigns the authentication profile to a specific group of users. You can create more than one authentication profile to give you the flexibility to:
- Apply a profile to a specific group of users (e.g. administrators, power users).
- Enable / disable the feature easily.
The prerequisites required for 2-Step Authentication depend on the method you choose to deliver / generate one-time verification codes.
Email can be used for 2-Step Authentication by all customers. The following prerequisites must be in place:
- We must be able to route email to the user's primary email address.
- The user must be able to receive the email containing the one-time verification code.
SMS can be used for 2-Step Authentication by all customers.
To implement SMS for 2-Step Authentication:
- A single Mimecast attribute must be used for the cell phone number assigned to users.
- Cell phone numbers must be in the full international format (e.g. +<country code><cell phone number>).
- Users configured to use 2-Step Authentication with SMS should have a mobile phone number assigned. The number can be:
- Registered by the administrator in the Administration Console using attributes.
- Registered by the user after they have successfully entered their password in the application's login page. See the Accessing Mimecast with 2-Step Authentication page for more information.
Setting SMS Attributes
To set SMS attributes:
- Log on to the Administration Console.
- Click on the Administration toolbar button. A menu drop down is displayed.
- Click on the Services | SMS Dashboard menu item.You can also see the defined attribute in the System Notification Options section of the Administration | Account | Account Settings menu item.
- Click on the Change Attribute button.
- Click on the Lookup button to select and confirm the required attribute.
- Click on the Save and Exit button.
3rd Party Application
A 3rd party application can be used for 2-step authentication by all customers. This allows the application to generate one-time verification codes. The 3rd party application used must be compatible with the Time-based One-Time Password algorithm (TOTP). Known compatible 3rd party applications are listed below in no particular order. We have no preference or affiliation with any of these applications.
- Microsoft Authenticator
- LastPass Authenticator
- Duo Mobile
- FortiToken Mobile
- Okta Verify
- Google Authenticator
- Symantec VIP Access
To avoid issues during the registration process, we recommend that you:
- Inform your users before enabling this feature.
- Decide and deploy the 3rd party application users should use.
- Ensure that your users are familiar with the process of registering an account with the chosen 3rd party application.
To use a 3rd party application as a 2-step authentication method:
- The device on which the TOTP compatible application is installed must be trusted.
- The trusted device (e.g. smartphone, tablet) must be with the user at all times.
Configuring a 2-Step Authentication Profile
- Log on to the Administration Console.
- Click on the Administration toolbar menu item.
- Click on the Services | Applications menu item.
- Click on the Authentication Profiles button.
- Select an existing Authentication Profile to change it.
- Click the New Authentication Profile button to create a new one.
- The Authentication Profile dialog is displayed.
- Select the option you would like to enforce 2-Step Authentication from the drop down list.
- Complete the following optional fields / options as required:
Field / Option Description Permitted Application Login IP Ranges
If selected, you can specify the trusted IP ranges that are allowed for end user access. Enter a list of IP addresses (one per line) in the "Application Login IP Ranges" field. Don't prefix the IP address with CIDR, and don't include leading zeros in IP address octet numbers.
Gateway Login IP Ranges
If selected, you can specify the trusted IP ranges that are allowed for SMTP and POP authentication attempts. Enter a list of IP addresses (one per line) in the "Gateway Login IP Ranges" field. Don't prefix the IP address with CIDR, and don't include leading zeros in IP address octet numbers.
- Click the Save and Exit button to save the record and return to the list of Authentication Profiles.