2-factor authentication

Email is the repository of all the important communication and data. It contains strategy of your business, customer details, financial transaction, etc. Users also store the passwords to internal systems in their emails. An unauthorised access to email account may cause huge loss to your business. For example, someone can hack into your CFO’s mailbox and send mail to your customers to transfer their payments to different accounts or your competitor can login to your sales director’s account and get details of leads you are pursuing.

In today’s world it is not enough to secure your account with strong passwords. Hackers have evolved their techniques to crack even the strongest passwords and gain access to mail system. Many times your employees unintentionally leak access to their accounts. Most common scenario of such unintentional leakage is, your top management accessing mails from unsecure wi-fi locations like airport, hotels, etc.
Two factor authentication

With the hacking techniques getting evolved, a true account holder cannot only be ascertained by what you know (i.e. your password) but also what you have (a device). To get access to the account one must not only know the password but also have a personal device where another one time password can be sent. Many banks give a device to their patrons where a code is generated every few minutes. To access the bank account users should enter this code along with the password. In case the password is hacked, hacker does not have access to code on device and also if the device is lost or stolen, other person does not have primary password. This combination of password and code on device increases the security of the account by multifolds.

Now a days, owing to huge proliferation of smartphones, it is not necessary to have a specialized device for second verification. Research shows that mobile and mobile number are personal to each person and usually not shared or given to anybody.

Rediff has developed a bank-like authentication mechanism where user have to authenticate using passwords as well as one time code sent to his registered mobile number. One time password is also required to change the password of your account or to set an autoforward to your account.

The two factor authentication is necessary every time you login to your webmail and is valid for entire session. If you are accessing your mail using POP or IMAP protocol, you will challenged for one time password only when our systems detects unusual activity from the account for ex. logging from multiple geographic locations simultaneously or sudden increase in mails sent from the account etc.

Two factor authentication is not only important deny the hackers authorised access to account but also ascertain that the activity done from the account is indeed done by the user in that session. Several cases has been reported where an employee does a mischievous activity and later claims that his account was hacked and he is not involved in such activity. With two factor authentication, onus of any activity done from the account lies on the user of the account and he cannot claim not
to be involved in any mail sent from his account.

Is two factor authentication mandatory for all the users in domain?
We understand that certain ids like system ids are owned by groups rather than one individual. You can set the two factor authentication for the entire user in the domain or you can mandate two factor authentication only for selected users.

What happens when mobile is not accessible to user?
If the user loose his phone or not carrying it with himself, admin can temporarily turn off the two factor authentication settings for that user.

What if user does not receive the code sent?
If a code is not received on user’s mobile, he has been given a resend option. User can try resending a code for 3 times.

How to change the registered mobile number?
Right to change the registered mobile number rests with both user and admin. A registered mobile number can be changed by user by accessing the user settings in the webmail. Admin can also change the registered mobile number by editing user profile,

Will the user get the code even when he is roaming internationally?
Yes. International roaming users will receive the code sent via SMS.

How two factor authentication works when user is accessing mail from mobile?
One time password is sent as a SMS to user’s mobile. Thus even if user accessing mail from mobile browser, he can still read the code sent in SMS and authenticate himself while logging.

How 2-factor authentication can help my company email security More >