Authentication - Authentication Tokens

This article contains information on the benefits and management of authentication tokens in Mimecast applications, highlighting performance gains, reduced network traffic, and improved continuity during outages, along with token security and cache timeout settings.

Introduction

When a Mimecast client application successfully authenticates with Mimecast for the first time, the Mimecast service creates a token. Once the token has been issued, Mimecast uses this token to validate that all requests are from a specific client application, and therefore the token itself serves as the authentication method. Each token is valid for a specific period of time before it expires, at which time the application must re-authenticate and obtain a new token.

The list of Mimecast applications that respect tokens includes the latest generation of Mimecast for Outlook, Mimecast for Mac, and Mimecast Mobile.

Benefits

Using tokens results in a significant performance gain, greater stability, and more consistency during a Continuity Event. Some of these benefits are detailed below:

• Decreased Authentication Overhead: Certain authentication methods create significant overhead and take time to complete. For example, Integrated Windows Authentication (IWA) can take several seconds to negotiate a successful login. The user experience of running a search and browsing through a number of results would be frustrating if each request for data had the overhead of the authentication negotiation. Using tokens results in these heavyweight authentication methods only being performed occasionally, which therefore significantly improves the user experience. Once authenticated, all subsequent calls utilize the authentication token for client validation.
• Decreased Network Traffic: Utilizing authentication tokens dramatically reduces traffic to the customer's infrastructure, allowing a smaller number of authentication resources to scale to a large number of users.
• Fewer Connectivity Issues: Authentication tokens ensure that connectivity issues, such as request timeouts or server downtime, do not interfere with the user's ability to use the application.
• Improved Continuity Experience: During a mail server outage scenario, it is possible that either the Active Directory or EWS server (if using IWA) will also be unavailable.  Service disruptions for end users can be seamless as long as the user has a valid token at the time of the outage. During a continuity event, the life of the token is automatically extended until the Continuity event is over.  As a result, users who have valid sessions established can continue to work without the need for cloud passwords.

Token Cache Timeout

Administrators can set how long tokens are stored for, which determines how often an end user must be reauthenticated. This is configured in an Authentication Profile, and the default life for a token is set to three days.

To ensure that relevant end user applications do not have to authenticate every time they get used, Mimecast uses an authentication time-to-live (TTL). Please select the appropriate value for your business.

The longer the token cache timeout is set, the longer the user has access to Mimecast via the application without explicitly authenticating.

Token Security

Authentication tokens are secured in a number of ways. This ensures they cannot be shared or maliciously used by anyone besides the person who was originally authorized to use them. While the tokens cannot provide a mechanism for non-authenticated users to gain access, they do afford authorized users access until the token expires.