Authentication Profiles - Configuring Two-Step Authentication Profiles

Updated

This guide describes how to configure Two-Step Authentication (also referred to as two-factor authentication) for your users. Doing this adds a layer of security to prevent unauthorized access to Mimecast applications.

Two-Step Authentication

For Two-Step Authentication, you must first configure an Authentication Profile. This controls the authentication required to access the various Mimecast applications. Once configured, the Authentication Profile must be added to an Application Setting. See Configuring Application Settings. This assigns the Authentication Profile to a specific group of users. You can create more than one authentication profile to give you the flexibility to:

  • Apply a profile to a specific group of users (e.g., administrators, power users).
  • Enable / Disable the feature easily.

If both Two-Step Authentication and Enforced SAML Authentication are enabled in the same profile, SAML takes preference. In this case, the user should authenticate with the identity provider defined in the profile. See Enforce SAML Authentication for End User Applications.

Prerequisites

The prerequisites for Two-Step Authentication depend on the method you choose to deliver/generate one-time verification codes.

Third Party Application

A third-party Application can be used for Two-Step Authentication by all customers. This allows the application to generate one-time verification codes. The third-party application must be compatible with the Time-based One-Time Password algorithm (TOTP). Known compatible third-party applications are listed below in no particular order. We have no preference or affiliation with any of these applications.

  • Microsoft Authenticator.
  • LastPass Authenticator.
  • Duo Mobile.
  • FortiToken Mobile.
  • Okta Verify.
  • Google Authenticator.
  • Symantec VIP Access.
To avoid issues during the registration process, we recommend that you:
  • Inform your users before enabling this feature.
  • Decide on and deploy the most suitable third-party application that users should use.
  • Ensure that your users are familiar with registering an account with the chosen third-party application.

To use a third-party application as a Two-Step Authentication method:

  • The device on which the TOTP-compatible application is installed must be trusted.
  • The trusted device (e.g., smartphone, tablet) must always be with the user.

If you have a Microsoft 365 Exchange, see Set Up Two-Step Verification, and see Microsoft's information on managing app passwords for two-step verification.

Email

Email can be used for Two-Step Authentication by all customers. The following prerequisites must be in place:

  • We must be able to route emails to the user's primary email address.
  • The user must be able to receive the email containing the one-time verification code.

SMS

SMS can be used for Two-Step Authentication by all customers.

To implement SMS for Two-Step Authentication:

  • A single Mimecast attribute must be used for users' cell phone numbers.
  • Cell phone numbers must be in the full international format (e.g., +).
  • Users configured to use Two-Step Authentication with SMS should have a mobile phone number assigned. The number can be:
    • Registered by the administrator in the Administration Console using attributes.
    • Registered by the user after successfully entering their password in the application's login page. See the Login with Two-Step Authentication page for more information.

If the SMS option is enabled, users with a mobile phone number assigned in an incorrect format cannot log on to Mimecast applications.

Setting SMS Attributes

You can set SMS attributes by using the following steps:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Services | SMS Dashboard.

    You can also see the defined attribute in the System Notification Options section of the Account | Account Settings menu item.

  3. Click on Change Attribute.
  4. Click on Lookup to select and confirm the required attribute.
  5. Click on Save and Exit.

Configuring a Two-Step Authentication Profile

You can configure a Two-Step Authentication profile by using the following steps:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Users & Groups | Applications.
  3. Click on Authentication Profiles.
  4. Either:
    • Select an Authentication Profile to change it.
    • Click on the New Authentication Profile button to create one.
  1. Select the option you would like to enforce Two-Step Authentication.
"3rd Party App" is recommended as a Two-Step Authentication method.
Setting SMS as a Two-Step Authentication method relies on a mobile network, which can result in delays due to network coverage. 
  1. Complete the following optional fields and options as required:
Field / Option Description
Permitted Application Login IP Ranges You can specify the trusted IP ranges allowed for end-user access if selected. Enter a list of IP addresses (one per line) in the Application Login IP Ranges field. Do not prefix the IP address with CIDR or include leading zeros in IP address octet numbers.
Gateway Login IP Ranges If selected, you can specify the trusted IP ranges allowed for SMTP and POP authentication attempts. Enter a list of IP addresses (one per line) in the Gateway Login IP Ranges field. Do not prefix the IP address with CIDR or include leading zeros in IP address octet numbers.
  1. Click Save and Exit to save the record and return to the list of Authentication Profiles.

See Also..

Related to

Was this article helpful?
0 out of 3 found this helpful

Comments

0 comments

Please sign in to leave a comment.