This article explains the functionality of Mimecast's Two-Step Authentication, including its benefits, supported applications, configuration considerations, and methods for generating or receiving verification codes to enhance account security.
Introduction
Passwords only offer a single layer of protection to a user's identity. The most complex passwords can be compromised by:
- Using the same password on more than one website or application.
- Weaponized software downloaded from the internet or received via email.
- Clicking on links to malicious websites.
Mimecast native Two-Step Authentication protects by denying anyone access with just a password. Once enabled, Administrators and End Users will need a password and a one-time verification code to access Mimecast. You can choose how Two-Step verification codes are received / generated. The following options are available:
- Via a 2FA application code generator (e.g. Google Authenticator, Duo, Authy, Symantec VIP Access, FortiToken, and many more).
- Via Email.
- Via SMS.
Depending on your Mimecast subscription, you may have access to Mimecast SMS Services.
Benefits
Two-Step Authentication has the following benefits:
- The additional layer of security reduces the risk of administrator and user accounts becoming compromised.
- The group-based configuration provides the flexibility to enable this for all users or selected users only.
- Works with your existing Cloud or Domain authentication configurations to allow you to enhance security while minimizing impact.
- Email or SMS delivery of verification codes.
- Support for TOTP verification code generators to get a verification code.
- This combines the per-user shared secret with a reasonably accurate current time (+ or - one minute) to create a unique six-digit code further verifying the user.
- Secure standards-based implementation for compatibility with a wide range of TOTP code generators.
- The simple one-time self-service registration process reduces IT complexity.
- Administrators can force re-registration if a user wipes or loses their device. See Managing User Email Addresses.
- Adaptive location-based support provides the option only to require a second form of verification when users attempt to log in from outside your trusted networks.
Supported Mimecast Applications
Two-Step Authentication is supported for both administrator and end-user access, including access to the following:
- Mimecast Administration Console.
- Mimecast Personal Portal.
- Case Review.
- Mimecast for Outlook.
- Mimecast Mobile.
- Mimecast for Mac.
- Mimecast Partner Portal.
Considerations
Consider the following when configuring Two-Step Authentication:
- If you are using earlier versions of Mimecast for Outlook, Mimecast Mobile, and Mimecast for Mac applications, you'll be prompted to upgrade if Two-Step Authentication is enabled.
- SAML will take preference if both Two-Step Authentication and Enforce SAML Authentication are enabled in the same profile. In this case, the user should authenticate with the Identity provider defined in the authentication profile. See Enforce SAML Authentication for End-User Applications.
- If you have a Microsoft 365 exchange, you can work with Microsoft to enable Two-Step Authentication, and generate an app password for users. See Microsoft's resources Set up 2-Step Verification for Microsoft 365 and Create an App Password for Microsoft 365.
- If you're using Microsoft Azure with Microsoft 365, it's possible to configure a bypass solution for Multi-Factor Authentication requests, by adding the Mimecast IPs as Trusted IPs. See the Microsoft resource Configure Azure Multi-Factor Authentication Settings.
Comments
Please sign in to leave a comment.