This guide describes how 2-step authentication, sometimes known as two factor authentication, can be configured for your users. Doing so adds an additional layer of security to prevent unauthorized access to Mimecast application.
To configure 2 step authentication, you must first configure an authentication profile. This controls the authentication required to access the various Mimecast applications. Once configured, the authentication profile must be added to an Application Setting. This assigns the authentication profile to a specific group of users. You can create more than one authentication profile to give you the flexibility to:
- Apply a profile to a specific group of users (e.g. administrators, power users).
- Enable / disable the feature easily.
The prerequisites required for 2-step authentication depend on the method you choose to deliver / generate one time verification codes.
Email can be used for 2-step authentication by all customers. The following prerequisites must be in place:
- We must be able to route email to the user's primary email address.
- The user must be able to receive the email containing the one time verification code.
SMS can be used for 2-step authentication by customers with accounts where the SMS service is enabled. The following prerequisites must be in place:
- A single Mimecast attribute must be used for the cell phone number assigned to users.
- Cell phone numbers must be in the full international format (e.g. +<country code><cell phone number>).
- All users with an authentication profile configured to use 2-step authentication with SMS, must have a cell phone number assigned. Users without a cell phone number assigned in the correct format won't be able to log on to any Mimecast application when this option is enabled.
For more information on configuring Mimecast SMS services, see the Setting up Mimecast SMS Services guide.
3rd Party Application
A 3rd party application can be used for 2-step authentication by all customers. This allows the application to generate one-time verification codes. The 3rd party application used must be compatible with the Time-based One-Time Password algorithm (TOTP). Known compatible 3rd party applications are listed below in no particular order. We have no preference or affiliation with any of these applications.
- Microsoft Authenticator
- LastPass Authenticator
- Duo Mobile
- FortiToken Mobile
- Okta Verify
- Google Authenticator
- Symantec VIP Access
To avoid issues during the registration process, we recommend that you:
- Inform your users before enabling this feature.
- Decide and deploy the 3rd party application users should use.
- Ensure that your users are familiar with the process of registering an account with the chosen 3rd party application.
To use a 3rd party application as a 2-step authentication method:
- The device on which the TOTP compatible application is installed must be trusted.
- The trusted device (e.g. smartphone, tablet) must be with the user at all times.
Configuring a 2-Step Authentication Profile
- Log on to the Administration Console.
- Click on the Administration toolbar menu item.
- Click on the Services | Applications menu item.
- Click on the Authentication Profiles button.
- Select an existing Authentication Profile to change it.
- Click the New Authentication Profile button to create a new one.
- The Authentication Profile dialog is displayed.
- Select the option you would like to enforce from the 2-Step Authentication drop down list.
- Complete the following optional fields / options as required:
Field / Option Description Permitted Application Login IP Ranges
If selected, you can specify the trusted IP ranges that are allowed for end user access. Enter a list of IP addresses (one per line) in the "Application Login IP Ranges" field. Don't prefix the IP address with CIDR, and don't include leading zeros in IP address octet numbers.
Gateway Login IP Ranges
If selected, you can specify the trusted IP ranges that are allowed for SMTP and POP authentication attempts. Enter a list of IP addresses (one per line) in the "Gateway Login IP Ranges" field. Don't prefix the IP address with CIDR, and don't include leading zeros in IP address octet numbers.
- Click the Save and Exit button to save the record and return to the list of Authentication Profiles.