Zimbra Collaboration 8.7: Two-factor authentication (2FA) – Technical Preview

Coming with Zimbra Collaboration 8.7 is an exciting new feature: two-factor authentication (also known as 2FA). Two-factor authentication is a technology that provides identification of users with the combination of two different components. These components may be something that the user knows (like a password, UserID, etc) and something that the user possesses (a good example can be a smartphone, or USB-key, etc.)

Zimbra Two-Factor authentication requires an upgrade of your Network Edition License Key, which is free of charge if you have a valid License. Contact your regional sales manager, and click here for more information.

Zimbra Collaboration Two-Factor Authentication

The use of two-factor authentication to prove your users’ identity is based on the premise that an unauthorized actor is unlikely to be able to supply both factors required for access. If, in an authentication attempt, at least one of the components is missing or incorrect, the user’s identity is not established with sufficient certainty and access to the user Zimbra Mailbox being protected by two-factor authentication remains blocked.

(source: Wikipedia)

How to enable two-factor authentication feature (Admin Console)

The two-factor authentication feature must be enabled in the Admin Console, and it can be enabled at User or Class-of-service level. This allows precise control over the users’ Security. Therefore, you can enable this feature just for the most critical Mailboxes in the environment, to all users, etc.

To enable it in the Admin Console: Home > Configure > Class of service > yourCOSname > Advanced > Two Factor Authentication

Use the check-boxes to:

  • Enable two-factor authentication: enable or disable the two-factor authentication feature
  • Require two-step authentication: all users will need to configure the 2FA
  • Number of one-time codes to generate (per each user)
  • Enable application passcodes: for legacy applications that don’t support 2FA. You can generate exceptions codes for them.

How to enable two-factor authentication feature (User Web Client)

Once the Admin has been enabled and configured the 2FA, users will see a new option under Preferences > Accounts, called Two Factor Authentication

If the user clicks on the Setup two-step authentication link, the configuration process will begin.

The first step shows a brief description about two-step authentication. The user must click on Begin Setup.


Next step will be introduce the user current password, if you remember the theory of 2FA, this will be “the component the user knows”. Once the user wrote the password, click on Next.

The next step retrieves the other component the user must have, in this case an app in the smartphone. The Two Factor authentication wizard will show a Wiki link with the OTP Apps Zimbra recommends to use.

Once the user has installed the App, the 2FA wizard will show a unique key that the user must enter in the Smartphone OTP App.

How to Install and Configure an OTP smartphone app

In this example, I will use Google authenticator, but please visit our Wiki where you can find other options. In the App Store or Play Store, search by Google authenticator, then click Install.

Once the app is installed, open it, and click Begin Setup.

The app will ask if you want to configure a Manual entry or Scan a barcode. Zimbra Collaboration 8.7 supports only manual entry for now. However, keep in mind the next Bug where it is being discussed to add the option to support barcodes.

To configure the App, the users must add an email address and the unique Key from the Zimbra Web Client.

All done! Now the app is configured and will show a 6-digit code that changes after 15 seconds.

Finishing the configuration in the Web Client

Once the user has the App configured and showing the 6 digit code, the user can enter the Code in the wizard window and click Next.


The two-step authentication feature is now enabled, and the user will be prompted for a code in each new Browser, smartphone, computer, or app where he or she tries to access the account.

In the users’ Preferences > Accounts > Account Security (if the Admin has enabled these options under the COS), the user will see more options like the one-time codes, Trusted devices, and Applications.
as

Testing a new Web Browser session in a new Computer

If the user now goes to another Web Browser, computer, smartphone, or if he or she tries to configure Zimbra Desktop, the user will successfully pass the two-factor authentication. For example on the Web Client:

One-time Codes

With the two-factor authentiation enabled, there may be a situation when the smartphone doesn’t have battery to answer the code challenge, or the device has been lost, etc. For cases like this, Zimbra introduces the One-time codes functionality. This function allow users to generate multiple codes to use in case of emergency. The total number of one-time codes can be configured by the Admin.

The user can click on the One-time codes View option to see the codes. The user must keep the codes secure (written somewhere, in another device, etc.).

Please click the next button to register and be the first to know all of the new Zimbra Collaboration 8.7 Features when the product goes General Available.

MORE INFORMATION

, , ,

16 Responses to Zimbra Collaboration 8.7: Two-factor authentication (2FA) – Technical Preview

  1. Daniel February 4, 2016 at 8:21 AM #

    Jorge, how can we test the new version?
    Someone public release?

    • Jorge de la Cruz
      Jorge de la Cruz February 4, 2016 at 9:43 AM #

      Hi Daniel, if you are a Gold Partner you can send an email to partners@zimbra.com requesting to join to the Beta Program, if not we will share it to the public as well soon.

      Best regards

  2. Edgar February 4, 2016 at 9:31 AM #

    Excelente!!!

  3. Stanislav February 7, 2016 at 8:10 AM #

    Amazing feature. It will bring security to the next level.

  4. Melissa February 23, 2016 at 12:47 PM #

    Hello,

    Is there a tentative release date for 8.7 yet?

    • Raunaq Malik March 14, 2016 at 5:08 PM #

      Somewhere in the second quarter 2016

  5. Thor February 25, 2016 at 9:22 AM #

    Dosent seem like they monitor these pages for comments. I posted a comment to the roadmapblog-post without any replies.

  6. pat June 16, 2016 at 12:23 PM #

    believe it when i see it

  7. Peter Baumann July 30, 2016 at 9:41 AM #

    Hi,
    Is it possible to integrate 2FA with the Yubikey?
    We’re using Yubikeys for our 2FA on premise.

    Thanks,
    Peter Baumann

  8. SomeUser August 19, 2016 at 1:33 AM #

    It seems 2FA is useless due to bypass protection with using permanent application passcodes. Why create complex auth system and leave the black enter? Application passcode should be associated with country person logging or even town by IP. in Zimbra realisation “application passcodes” = “usual password” = no protection

  9. Justin September 10, 2016 at 12:03 AM #

    How will this work with ActiveSync clients? This would be a selling point for us to migrate to Network Edition….

  10. Vishnu October 12, 2016 at 12:26 PM #

    Hi,

    How to go about disabling OTP for Internal Network. (Local Area Network) ?

  11. Wong Boon Hong December 21, 2016 at 6:43 AM #

    How can we enable this for the admin console login as well? Isn’t admin console more critical to protect with two factor authentication?

Trackbacks/Pingbacks

  1. Zimbra Collaboration 8.7 and Zimbra Desktop, 2FA and Password Lock - ReadySpace India - June 15, 2016

    […] introduced Zimbra Collaboration 2FA a couple of months ago, and starting in Zimbra Desktop 7.2.8, we support it natively on our Desktop client as well. The […]