2-Step Verification (Two Factor Authentication) for WebMail

Axigen Documentation

2-Step Verification (Two Factor Authentication) for WebMail is available starting with Axigen X3 (10.3.x).

2-Step Verification helps securing access to the accounts, by adding a second step to the authentication process — a one-time verification code.

Axigen implements 2-Step Verification by using the TOTP (Time-based One-time Password) algorithm (compatible TOTP mobile apps: Google Authenticator, Microsoft Authenticator, or other compatible TOTP apps or dongles).

Administration

WebAdmin

Enabling 2-Step Verification

This option can be enabled:

  1. in the Account Defaults (class) from WebAdmin → Domains & Accounts → Edit your domain → Account Defaults → Quotas and Restrictions → Restrictions section
  2. in an Account Class from WebAdmin → Domains & Accounts →  Account Classes → Edit your Account Class → Quotas and Restrictions tab in the Restrictions section
  3. on account level from WebAdmin → Domains & Accounts →  Manage Accounts → Edit the specific account → Quotas and Restrictions tab in the Restrictions section

Optionally, admins can enforce 2-Step Verification by selecting the "Make 2-Step Verification mandatory" option.

Devices, Status & Actions

Once enabled, admins can see the status for each user, add or reset their secret key, or revoke all devices.

All the above can be found in Domains & Accounts → Manage Accounts → Edit on the account → in the General tab:

CLI

Admins can also configure 2-Step Verification from CLI.

Enabling / disabling / setting as mandatory:

 

Configuring 2-Step Verification at Account Defaults level (default account class of a domain):

 

Configuring 2-Step Verification at Account class level:

 

Configuring 2-Step Verification at account level:

 

Existing secret key provisioning

By default, Axigen generates a secret key when enabling 2-Step Verification. However, if you already have a secret key previously generated for your users and you want to also use it in Axigen, you can provision Axigen with each user's secret key with the following commands:

In order for the secret key to be validated (saved) it must be 16 characters long - numbers between 2 and 7 and capital letters.

 

Viewing the current verification code for a certain account:

User interaction

WebMail

Turning 2-Step Verification on

If the admin enabled 2-Step Verification as optional, the user can manage it by going to Settings → General tab:

 

After hitting the "Turn on" button, a modal dialog will be shown, giving the user a few details about 2-Step Verification.

If 2-Step Verification was enabled by the admin as mandatory, the above dialog will be displayed right after login.

 

If 2-Step Verification activation is optional, after clicking on the "Get Started" button, the user will be first required to verify credentials.

 

After entering credentials, the QR code pairing screen is displayed.


Scanning the code with a TOTP authenticator app, will generate an initial code which the user needs to enter in the field for pairing.

After filling in the field and clicking the "Next" button, 2-Step Verification will be turned on and the user can return to the WebMail interface.

Authentication using 2-Step Verification

After activation, each future login (session expiry) will require 2-Step Verification.

This screen can be branded via Axigen's Branding feature: Domains & Accounts → Manage Domains → click Edit on your domain → "General" Tab → "Branding" section → Configure branding.

Managing 2-Step Verification

After activation, users will be able to revoke all existing devices or add additional devices for authentication from Settings → General tab → "2-Step Verification" configure button → clicking "Next" after the credentials verification:

If 2-Step Verification was set by the admin to be optional, revoking all devices (by the admin or by the user) will disable the verification.

For the mandatory 2-Step Verification, users will be required to re-start the initial configuration.

Mobile WebMail

The Mobile WebMail does not have any options to activate or manage 2-Step Verification.

However, once enabled from the desktop WebMail, Mobile WebMail logins will also require 2-Step Verification.