Overview
You want to enable Two-Factor Authentication within your Kerio Connect Servers to improve security. You require guidance on how to gain access to and enable this feature.
Solution
Starting in Kerio Connect Version 9.4, you can now leverage Two-Factor Authentication (2FA) for additional access security. It uses Google and Microsoft mobile device authenticators to supply a real-time token so that administrators control the needed level of protection.
The process to enable the feature is performed in two parts - Enabling the feature for a particular domain and then configuring the feature at the user level.
Note: Since 2 step verification code is time-based, it is essential to check the OS time on the server where the Kerio Connect mail server is deployed. The OS time should be in sync with the internet time; otherwise, it may result in verification failures.
Enabling Two-Factor for a Domain
- Navigate to WebAdmin > Configuration > Domains.
- Edit the desired Domain and select the Security Tab.
- Within the “Two-Factor Authentication Settings” section, check “Enable 2FA.”
-
- Once enabled, you can make domain-level adjustments to
- enforce the use of the 2FA feature, by selecting Force for all users, i.e. users must set up the 2FA to login, and
- adjust the period in which the 2FA will expire.
Note: While setting up 2FA, the2FA will expire in
value defines the life of the 2FA token in the browser. For example, a value of 30 days means that once the user is logged in using the 2FA code, he won't be asked for the 2FA code again on the same browser for 30 days (on a different browser or machine, he will be asked for a new token). If you set it to 0, the user will be asked a 2FA code every time the browser is closed.
Note: Once a user has set up 2FA (or immediately if enforced), regular user passwords will no longer work within 3rd-Party applications (ex., Email Clients). They must use Application Passwords instead (Webmail/KCC > Settings > App Passwords) defined for the specific application they want to access.
Configuring Two-Factor for a Normal User
Once the feature has been enabled for a domain, users will need to configure the feature within the Webmail or Kerio Connect Desktop Client. If you have decided to enforce the use of the new feature, users will be prompted to configure Two-Factor on their next login(or until configured). Otherwise, they can opt-in to using the feature and trigger the same configuration screen.
-
Access Webmail or the Kerio Connect Desktop Client
-
Within the user interface, navigate to the Settings menu
-
Webmail: Avatar > Settings:
-
Windows Desktop Client: Tools menu > Settings:
-
macOS Desktop Client: Kerio Connect menu > Settings...:
-
-
At the bottom of the left navigation menu, Select 2FA Setup.
-
Click on the “Start 2FA Setup” button:
-
Within the dialog box, confirm that you want to start the 2-step verification setup.
-
This will open the 2-Factor Authentication Setup panel:
-
Note: This is the panel that users will see on the first login if 2FA is enforced for a domain.
-
-
Type in the recovery email address that you want to use to receive the reset code for 2-step verification.
-
Note: The recovery email address must be different from the current email address. It is recommended that the recovery email be an email address outside the Domain to which you have access.
-
-
Scan the QR code with your preferred authentication application.
-
The Authentication application will generate a six-digit code. Enter the code in the Authentication token column.
-
Once all the information has been submitted correctly, the system will ask for final verification.
-
Once verified, the system will inform you whether the 2-step verification was configured successfully. You may be asked to submit a 2-step verification code depending on domain settings.
Configuring Two-Factor for an Admin User
The process for setting up 2FA for Admin users(built-in and dedicated admins) is identical to the normal users above, however, how they access the initial 2FA configuration panel is different.
- Login to WebAdmin using your Admin user.
- Select the Admin drop-down in the upper right.
- Select Setup 2FA
- A similar dialog will appear for you to complete the 2FA steps shown above: