| KC 9.4.1 2FA success stories? [message #151340] |
Thu, 24 March 2022 16:20  |
McIrish
Messages: 258
Registered: October 2011
|
|
|
|
Hi,
I'm trying to wrap my head around 2FA in Kerio Connect. I'm hesitant to enable it as I'm not up to speed. I did read doc on it but the info doesn't seem complete to me. I could just start messing with it on a test user but I'd love some feedback from those of you who have implemented it.
1) Did you enable it globally and force it for all users?
2) What steps did you do to train end users on how it works?
3) Any issues you have run into?
For the most part, all of the clients are using Outlook 2016 on both PC and Mac. A few people use the web client, but the vast majority have never logged into the web client.
Thanks for the tips
|
|
|
|
|
|
| Re: KC 9.4.1 2FA success stories? [message #151687 is a reply to message #151348] |
Fri, 20 May 2022 20:46  |
afisher
Messages: 26
Registered: April 2011
|
|
|
|
I have it enabled on a few accounts and as expected the google authenticator app on my phone works just fine. For the rest of the work force without company phones, Im suggesting we buy programmable tokens https://deepnetsecurity.com/products/programmable-tokens/ . These are $25USD/ea and can be used for one OTP account each. Another option that works is the Authy desktop software (free) which works just like an smartphone authenticator app but on your desktop. If anyone knows of a better way to do this, i'm all ears.
As for your outlook, you are using the app password that is generated in the webmail right? You can't 2F outlook as far as I know, so you need to use the app password just like you would on your phone.
|
|
|
|
|
|
|
|
| Re: KC 9.4.1 2FA success stories? [message #152322 is a reply to message #151710] |
Thu, 28 July 2022 21:38 |
RustyB
Messages: 90
Registered: April 2010
|
|
|
|
McIrish wrote on Tue, 24 May 2022 21:53Do I understand correctly the 2FA is only for the Kerio Client and the web portal, but NOT for Outlook or for use on cell phones? I just want to make sure I understand.
This is disappointing. Most of our users use Exchange on mobile devices. So 2FA will not work for them? How does this make us more secure? So if a hacker guesses a users password, they can just login via IMAP or Exchange and not be prompted for 2FA even thought the user has 2FA activated?
Why can't it just send a verification email anytime someone logs in from an unknown device, regardless of what kind of device it is?
|
|
|
|
| Re: KC 9.4.1 2FA success stories? [message #152438 is a reply to message #152322] |
Wed, 10 August 2022 18:54 |
afisher
Messages: 26
Registered: April 2011
|
|
|
|
The way I understand it, Exchange doesn't have a mechanism for entering the 2FA codes Kerio supports. There might be third party utilities that provide 2FA with mobile email clients but I'm not sure if Kerio would support them at the moment.
The "extra security" comes from the App Password, which are 16 random characters. I do however see your point, passwords can be written down or found out. 2FA would be more secure still.
|
|
|
|
Members
Search
Help
Register
Login
Home
