Groupware 2-factor authentication setup step-by-step

Permanent Link: topicbacklinks

Find out about the "why" of 2-factor-authentication at Groupware.

Manuals

Expand all Collapse all

Illustrated instructions to enable 2FA


  1. Make sure to have a smartphone at hand, install the Google Authenticator app from app store / play store. If the app is already installed, add another item to the accounts list.
    Please note:
    • This app is primarily a specialized pocket calculator - it doesn't send any data to Google, if you don't tell it to. Make sure to NOT connect it to a Google account.
    • You'll use the same 2FA method but different credentials than the RemoteLinux/RemoteWindows ones.
  2. Login to you email account via the Mail server's Web GUI.
    00_zimbra-login.png
  3. The setup process for 2FA starts immediately if you haven't enabled it, yet.
    01_2fa-setup.png
  4. Enter your password once for confirmation.
    02_confirm-password.png
    A short explanation is shown. If you've not done it already, install the Google Authenticator app from the App store / Play store of your smartphone.
    03_install-app.png
  5. The TOTP-Seed is shown. Add a new entry to Google Authenticator via "Enter a setup key". Enter a meaningful label like "Email@MPI/CBS"
    04_totp-seed.png
    If you wonder, where to add the entry:
    04_ga.png
  6. Prove to the mail server that you successfully set up Google Authenticator by entering the TAN that is currently displayed at the "Email@MPI/CBS" entry.
    05_confim.png


Back to FAQ start

Set up a program instance and assign an application password


Permanent Link: topicbacklinks

Each mail application running on your computer requires its own application password to authenticate and cannot use your account password. The following is an explanation of how to generate such a password. Information on how to set up the software can be found here.

  1. Go to the application password area in your Mail server's Web GUI
    06_application-passwords.png
  2. Add an application code - e.g. for Thunderbird on your workstation in the institute. Make sure to use a meaningful label - e.g. "thunderbird@mpi". The label must make sense to you in order to identify the application instance associated with it.
    07_add-application.png
  3. The application code is displayed. You'll see the new application label appearing in the list in the background.
    08_new-random-password.png
    A very random word--the application password is shown. Keep this window open for now.
  4. DO NOT write down, store or screenshot the application password! For you not being able to produce the password when needed is part of the security concept!
  5. Open the application you want to connect to your mail account- e.g. [[GroupwareThunderbird]Thunderbird]].
    • If you didn't already set up your account (majority of cases), use the respective assistant in the mail app to connect to an existing mail account. Enter your mail address--e.g. myuser@cbs.mpg.de. Enter the application code as password.
    • If you already set up your account and just want to apply 2FA which you just enabled (less common case), wait for the program to complain about the password being wrong. Enter the application password instead of your account password.
  6. Close the dialog with the application password. Do not remember it , do not write it down. You won't need it anymore, ever. It is a feature of this password, not to be remembered!
  7. The new application is now registered for your account and will be shown in the application list at "Preferences"/"Accounts" in the Webmail service. Check this list from time to time (e.g. once a year) and remove applications that you no longer use (e.g. for phones your sold). The "Last Used" field shows the date, the respective application last accessed your mail account.
  8. Repeat the process for additional mail clients - e.g. when setting up Thunderbird somewhere else.


Back to FAQ start

Short instructions for advanced users


Permanent Link: topicbacklinks

  • The mail server uses OATH-TOTP 2FA that can and must be enabled by users themselves.
  • TOTP seeds are not the same as the ones used for RemoteLinux/RemoteWindows .
  • 2FA must be enabled upon first login to the Web GUI.
  • IMAPs/SMTPs/Caldavs/Carddavs client applications are supported via server generated application passwords issued by users themselves in the "Preferences" tab of the Web GUI in the "Accounts" section.
  • There's no practical limit to the number of applications per user account.
  • 2FA can only be reset by IT if access to the TOTP seed is lost. Physical presence and verification with a government issued ID (e.g. passport) is necessary in this case.
  • The Webmail service provides options to mark a browser as safe during login. This will suppress 2FA requirement to 30 days.


Back to FAQ start

Hints

  • Consider making a backup of your credentials, if you have a second phone: Groupware
  • The application password are long, random and difficult to remember. That's a feature, not a bug. It is discouraged to remember them or write the down anywhere.
  • If you change your institute password, application passwords will remain valid.

This topic: EDV/FuerUser > WebHome > Groupware > Groupware2FaSetup
Topic revision: 15 Oct 2024, Burk2
This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback