What is 2FA?
Two-factor authentication, also known as 2FA, is a great way to add a layer of security to an account. When an account has this feature enabled, an exposed password will not grant unauthorized access to the account. The idea behind 2FA is that in order to access a secured resource, the user must identify themselves both by using something they know, and by using something they have.
Something the user knows
- This element is the same as standard security: a password. In order to access an account, the user must know the password.
Something the user has
- This element is the new security measure we will be setting up in this article : an authenticator. An authenticator is a device or service that provides an authentication code, which the user then inputs during log-in. The codes change regularly and cannot be reused. Without this code, the user will be denied access even if they have the correct password.
Choosing an authenticator
There are many options available, with varying features, costs, and benefits. For these instructions, we will be using a smartphone app to generate Time-based One-Time Passwords (sometimes known as a TOTP app). We recommend using Authy (https://authy.com/), but the steps are very similar for most apps.
- Choose an app and install it on your smartphone. See our 2FA Authenticators article for more authenticator options.
Enabling Two-Factor Authentication on your account
Webmail Modern:
- Log into your account using the Webmail client.
- Click the gear icon in the top right corner and select "Settings"
- Select "Accounts" from the list on the left.
- Click on your primary account to expand it.
- Scroll down to "Two-factor authentication" and click the button that says "Set up two-factor authentication".
- If this button does not appear, Submit a ticket or contact us.
- Installing and configuring Authy:
- Download and install Authy from the Google Play Store or Apple App Store
- Run the app
- It will show an "account setup" page, enter your smartphone number.
- Enter an email account you have access to. Security alerts and support communications will go here. This does not need to be the account you are securing.
- Authy will send a confirmation code via WhatsApp, SMS or phone call to the phone number you provided. If you choose SMS and the app is open when the message arrives it will automatically enter the code into the app, otherwise enter it manually. An email confirmation will be sent to the account you entered in the previous step when you succeed.
- Tap the blue "+" button to add an account
- If the code is about to change, wait for the new code and put that in instead.
Webmail Classic:
- Log into your account using the Webmail client.
- Click on "Preferences" in the top bar.
- Select "Accounts" in the left pane.
- In the "Primary Account Settings" section, find "Account Security" and click the blue link that says "Setup two-step authentication …"
- If the link does not appear in this section, Submit a ticket or contact us.
- Installing and configuring Authy:
- Download and install Authy from the Google Play Store or Apple App Store
- Run the app
- It will show an "account setup" page, enter your smartphone number.
- Enter an email account you have access to. Security alerts and support communications will go here. This does not need to be the account you are securing.
- Authy will send a confirmation code via your choice of WhatsApp, SMS or phone call to the phone number you provided. If you choose SMS and the app is open when the message arrives it will automatically enter the code into the app, otherwise enter it manually. An email confirmation will be sent to the account you entered in the previous step when you succeed.
- Tap the blue "+" button to add an account
Connecting to mail apps and clients:
- For apps and clients that support 2FA, such as Outlook via ZCO, you will be prompted to enter a code from your 2FA phone app when attempting to log in.
- You can check the box next to "Remember this device" or "Trust this device" if you would like the device to be considered "trusted". Trusted devices will not be asked for 2FA codes after the first time, so it's best not to use this setting on shared or publicly exposed devices.
- For apps and clients that do not support 2FA, such as most IMAP configurations, you will need to create an Application Passcode:
- In the webmail client, go to "preferences" (in classic) or "settings" (in modern), Accounts, and select the primary account.
- Scroll down to the Two-factor authentication section
- Find "Passcodes for apps that do not support two-factor authentication" (in modern) and click "+ Add Passcode"
- Enter a descriptive name for the application the passcode is to be used for and press "Next".
- It will generate an application passcode
- Use this passcode in place of a password to access your account on your desired app or client.
- Application passcodes can be revoked from this same menu.
- Note that changing the account password will revoke all application passcodes.