Email 2 Factor Authentication
Voluntary disclosure of passwords via phishing emails is the most common form of account compromise. Such a disclosed password may lead to the phisher abusing your email account and sending out spam and phishing emails to others. If this happens your account will be locked as soon as it is spotted.
A way to largely prevent abuse of your email via this route is to enable two factor authentication (2FA).
You now need to install a 'time-based one-time password algorithm tool' (OTP app) on a suitable device, typically a smartphone. A good choice is google authenticator.
Enable 2FA in Zimbra
To enable 2FA on your Maths Zimbra account:
- Login to the Zimbra system at https://zimbra.maths.ox.ac.uk
- Click on Preferences -> Accounts
- Scroll down to the section labelled 'Account Security' and click on 'enable 2 step authentication'
- A message window will appear which explains the feature - click on begin setup
- It will ask you to confirm your usual password at this point, suggest suitable OTP apps, and then provide you a setup code for your OTP app
- In the OTP app choose to add a new account, choose the manual method, and then enter into the app the code provided by Zimbra in the previous step
You are now ready to go. To test it out log out of the Zimbra web interface and then log back in.
2FA with the Zimbra web interface
The login process will first ask for your usual login details, it will then ask for a one-time code. Look in the OTP app to see the current OTP code, enter that into the prompt. At this point, if this is a device and web browser you trust and use regularly, then you likely want to tick the 'trust this device box' before pressing the verify button.
If you have chosen to trust the device then for future logins for this device (with this particular web browser) you will not need to use a OTP code. If you switch to a different web browser on the same device (e.g. change from Firefox to Chrome) then you will need to enter a OTP code and device whether to also trust that web browser on this device.
Whilst it has taken some additional time to setup 2FA, for devices you trust and use regularly, your future use is effectively as before. Importantly though, if you accidentally/voluntarily disclose your password via a phishing attack, that attacker will not have your trusted device and so will need a OTP code, will not be able to get one, and thus cannot abuse your account!!!
2FA with thunderbird
Thunderbird does not support 2FA. Instead you need to create an application code to use in place of a normal password:
- Login to the Zimbra system at https://zimbra.maths.ox.ac.uk
Click on Preferences -> Accounts
Scroll down to the section labelled 'Account Security' and click on 'Add Application Code'
- Enter the name of the application and then note down the code it gives you
In thunderbird you now need to use this 17 character application code as your password instead of your normal one. Remembering such a long different password will likely be taxing, and you will likely thus wish to tick the box in thunderbird to 'save password in thunderbird password manager'.
If you have configured thunderbird to also access your Zimbra calendar via caldav then you need to use this 'application password', together with your usual username, when it prompt for the calendar connection.
2FA with Apple Mail.app
To do - will likely be an application code based approach as above
2FA with (al)pine
As in the above case for thunderbird, (al)pine does not support 2FA, and so one needs to use an application password. Follow the instructions above to create an 'application code' (or use the same application code you have generated for thunderbird if appropriate).
Now open a terminal window and run
echo "" > ~/.pine-passfile
Now start pine. Pine will prompt you to create a 'master password', this is a password that will unlock the pine password manager each time you start pine and enter it. This is something you will have to remember!
Having set a pine master password, it will then ask you for the 'login password'. Rather than your usual login passsword, this is where you need to enter the 'application code'. It will then offer you the option to encrypt and save this application code. Select yes at this point and it will save the encrypted application code into the .pine-passfile.
You are now setup such that when you start pine you now enter the (different) pine master password to login, rather than your usual password (and then pine decrypts the stored application password and uses that to make the connection).
2FA with outlook
In general in the department if you are using outlook (only about 20-30 people) then it will be configured to connect via the Zimbra Connector for Outlook (ZCO). The ZCO supports 2 FA in a similar fashion to the Zimbra web interface described above.
As such when you start outlook for the first time after enabling 2FA, it should prompt for a OTP code. You look this up via the google authenticator app on your smartphone, enter it into the prompt, and if it is a trusted device you tick the 'trust/remember this device' box.
If you told it to trust this device then it will not prompt for a 2FA OTP code again on this device. Importantly though, if you accidentally/voluntarily disclose your password via a phishing attack, that attacker will not have your trusted device and so will need a OTP code, will not be able to get one, and thus cannot abuse your account!!!
Emergency one time codes
You will likely mostly access your email from trusted devices and hence not need to use a OTP code each time you connect. However, if you are extra secure, or use other devices from time to time, then you will use OTP codes more often. As such you will be much more dependant on have your devicd with OTP app with you and working. If say the battery has run down on your phone then you may find yourself unable to generate a OTP code yet still need to log in to your email. This is where the emergency one time codes can come in handy (provided you have made a note of one or more of them in advance in some secure way).
You can find your 10 one time codes in the Zimbra Preferences -> Accounts -> Account Security section.