What is 2FA?
Two-factor authentication, also known as 2FA, is a great way to add a layer of security to an account. When an account has this feature enabled, an exposed password will not grant unauthorized access to the account. The idea behind 2FA is that in order to access a secured resource, the user must identify themselves both by using something they know, and by using something they have.
Something the user knows
- This element is the same as standard security: a password. In order to access an account, the user must know the password.
Something the user has
- This element is the new security measure we will be setting up in this article : an authenticator. An authenticator is a device or service that provides an authentication code, which the user then inputs during log-in. The codes change regularly and cannot be reused. Without this code, the user will be denied access even if they have the correct password.
Choosing an authenticator
There are many options available, with varying features, costs, and benefits. For these instructions, we will be using a smartphone app to generate Time-based One-Time Passwords (sometimes known as a TOTP app). We recommend using Authy (https://authy.com/), but the steps are very similar for most apps.
- Choose an app and install it on your smartphone. See our 2FA Authenticators article for more authenticator options.
Enabling Two-Factor Authentication on your account
Webmail Modern:
- Log into your account using the Webmail client.
- Click the gear icon in the top right corner and select "Settings"
- Select "Accounts" from the list on the left.
- Click on your primary account to expand it.
- Scroll down to "Two-factor authentication" and click the button that says "Set up two-factor authentication".
- If this button does not appear, Submit a ticket or contact us.
- Enter your password in the "Confirm password" dialogue.
- You will be prompted to install an authentication app on your smartphone. If you have not already done so, choose and install an authentication app now.
- Installing and configuring Authy:
- Download and install Authy from the Google Play Store or Apple App Store
- Run the app
- It will show an "account setup" page, enter your smartphone number.
- Enter an email account you have access to. Security alerts and support communications will go here. This does not need to be the account you are securing.
- Authy will send a confirmation code via WhatsApp, SMS or phone call to the phone number you provided. If you choose SMS and the app is open when the message arrives it will automatically enter the code into the app, otherwise enter it manually. An email confirmation will be sent to the account you entered in the previous step when you succeed.
- Tap the blue "+" button to add an account
- Installing and configuring Authy:
- On your computer, click "Next".
- A window will appear titled "Connect your email account". It will show both a key and a QR code.
- On your phone, if the authentication app you chose supports QR codes, follow the in-app instructions to scan it. Otherwise, enter the key.
- Follow the instructions in your app to proceed. Some apps will offer backup codes or allow you to set passwords, make sure you keep these somewhere you can find them again if you are locked out of your account in the future.
- Your phone app should now be displaying an authentication code. This code will change periodically.
- On the computer, press "Next" and then enter the current code in the next window.
- If the code is about to change, wait for the new code and put that in instead.
- Press "Verify"
- You have now enabled and set up 2FA for your account, but you are not quite done yet!
- Back in the webmail settings menu > Accounts under Two-factor authentication you should now see "One-time codes" and a link next to it that says something like "10 unused codes". Click the link, then copy or print the codes and store them somewhere you can find them again. Each of these codes can be used 1 time to gain access to the account in case you lose your phone or have other authorization problems.
Webmail Classic:
- Log into your account using the Webmail client.
- Click on "Preferences" in the top bar.
- Select "Accounts" in the left pane.
- In the "Primary Account Settings" section, find "Account Security" and click the blue link that says "Setup two-step authentication …"
- If the link does not appear in this section, Submit a ticket or contact us.
- Click "Begin Setup" in the window that pops up.
- You will be prompted to enter your password, do so and click "Next"
- You will be prompted to install an authentication app on your smartphone. If you have not already done so, choose and install an authentication app now.
- Installing and configuring Authy:
- Download and install Authy from the Google Play Store or Apple App Store
- Run the app
- It will show an "account setup" page, enter your smartphone number.
- Enter an email account you have access to. Security alerts and support communications will go here. This does not need to be the account you are securing.
- Authy will send a confirmation code via your choice of WhatsApp, SMS or phone call to the phone number you provided. If you choose SMS and the app is open when the message arrives it will automatically enter the code into the app, otherwise enter it manually. An email confirmation will be sent to the account you entered in the previous step when you succeed.
- Tap the blue "+" button to add an account
- Installing and configuring Authy:
- On your computer, click "Next".
- A window will appear titled "Connect your email account". It will show a key.
- On your phone, enter the key into your app.
- Follow the instructions in your app to proceed. Some apps will offer backup codes or allow you to set passwords, make sure you keep these somewhere you can find them again if you are locked out of your account in the future.
- Your phone app should now be displaying an authentication code. This code will change periodically.
- On the computer, press "Next" and then enter the current code in the next window.
- If the code is about to change, wait for the new code and put that in instead.
- Press "Verify"
- You have now enabled and set up 2FA for your account, but you are not quite done yet!
- Back in the webmail settings menu > Accounts under Two-factor authentication you should now see "One-time codes" and a link next to it that says something like "10 unused codes". Click the link, then copy the codes and store them somewhere you can find them again. Each of these codes can be used 1 time to gain access to the account in case you lose your phone or have other authorization problems.
Connecting to mail apps and clients:
- For apps and clients that support 2FA, such as Outlook via ZCO, you will be prompted to enter a code from your 2FA phone app when attempting to log in.
- You can check the box next to "Remember this device" or "Trust this device" if you would like the device to be considered "trusted". Trusted devices will not be asked for 2FA codes after the first time, so it's best not to use this setting on shared or publicly exposed devices.
- For apps and clients that do not support 2FA, such as most IMAP configurations, you will need to create an Application Passcode:
- In the webmail client, go to "preferences" (in classic) or "settings" (in modern), Accounts, and select the primary account.
- Scroll down to the Two-factor authentication section
- Find "Passcodes for apps that do not support two-factor authentication" (in modern) and click "+ Add Passcode"
- Enter a descriptive name for the application the passcode is to be used for and press "Next".
- It will generate an application passcode
- Use this passcode in place of a password to access your account on your desired app or client.
- Application passcodes can be revoked from this same menu.
- Note that changing the account password will revoke all application passcodes.