6 steps to Zimbra two-factor authentication with YubiKey

8 Feb, 2017 John W. Cloud, Collaboration, Email, Exchange Replacement, Licensing, Mail Server, Multi-Factor Authentication, open source, Open Source Edition, privacy, Security & Safety, Stuff We Like, Value Added Reseller, VAR, Zimbra

We are proud to announce that XMission Zimbra Email and Collaboration now features two-factor authentication (2FA). Two-factor authentication is a technology that provides identification of users utilizing two different components. Typically something that you know (like a password, UserID, etc) and something you have (a smartphone, USB-key, etc.). Using 2FA protects you against phishing and other sophisticated attacks.

In this post we’re working with the YubiKey NEO and an Android smartphone. The YubiKey NEO USB and NFC security key offers an easy and secure way to log in to your services such as Zimbra, Facebook, Salesforce, GitHub and many more. YubiKeys are also supported by leading password managers, including LastPass, KeePass, and others. We like the super convenient NFC feature in the Neo. (NFC is use by services like ApplePay and Google Wallet and is what allows you to tap your mobile devices to payment kiosks as well as this two-factor authentication method where you simply touch your USB key to your phone.)

Purchase your own YubiKey NEO on Amazon.

Here is how to configure:

Step 1: Download the Yubico Authenticator app for Android or Desktop.

Step 2: Insert YubiKey into your computer’s USB port or tap YubiKey to phone for NFC.

Step 3: On the Android phone, in the Yubico Authenticator app, tap the menu button in the top right corner of your screen and tap “Add account manually.” Here you will be asked for a name, code, and protocol. You can name it whatever you want, and the protocol should be set to TOTP.

Step 4: Log in to Zimbra, go to the Preferences tab along the top, then select Accounts in left column. Under Account Security, click on “Setup two-factor authentication…” Click “Begin Setup” on the window that appears.

Now confirm your Zimbra password and click “Next” to proceed.

The next screen instructs you to install an authentication application on your phone and has a Zimbra.com wiki link to other TOTP authentication apps for Android, iOS, and Windows. In Step 1 above, we installed the Yubico App on your phone so click “Next” to get your authentication code.

Step 5: Enter code generated by Zimbra into the “Secret key” field in the Yubico Authenticator app and click “Add”

Step 6: Tap or plug in YubiKey again to save settings.

Now that you have this configured, your YubiKey will work with your phone and desktop.

NOTES:

All YubiKeys, and many other brands of security USB keys, will work with Zimbra two-factor authentication and your desktop or laptop.
iPhones and iPads have very limited support with YubiKey devices but still work with Zimbra 2FA.
Paid editions of Zimbra Collaboration 8.7.X supports two-factor authentication. Open source edition does not support 2FA.

Don’t forget, Zimbra makes it simple to further secure sensitive email messages. See our post on how to easily use PGP encryption.

Using encryption is easy and a great practice to use in your day to day communications. To sign up for Email and Collaboration or buy licensing for your own on-premise Zimbra mail server, please contact John.

Please comment or ask questions below. We would love to hear from you. Remember, sharing is easy as clicking on of the social buttons below.

John Webster, XMission Email Product Manager and Zimbra evangelist, has worked at XMission for over 20 years doing his favorite thing: helping companies securely communicate with customers through technology to grow their business. When he’s not uncovering Zimbra’s secrets you might find him in our beautiful Utah mountains. Connect with him on LinkedIn today!