Protect your LuxSci Account with Two-Factor Authentication and Other Barriers
Two-Factor Authentication (supposedly patented by Kim DotCom)– using a password plus “something else” to gain access to your account and to prevent lost, stolen, or guessed passwords from impacting you — is finally becoming fashionable.
First, it was a cool idea, then some places such as LuxSci started supporting it, but it was rarely used due to people not wanting to bother with an extra step to login to their accounts. Now, with Twitter adding 2-factor authentication to help stem the tide of account compromises, security is now fashionable.
This turn about is really fantastic as it brings security consciousness much more into the mainstream — so much so that popular Radio hosts are talking on the air about how to secure accounts. This can only be good for the adoption of better security practices overall and a decrease in compromises due to laziness … and in cases like HIPAA, laziness can be a terrible thing.
In this post, we’ll go over how to secure your LuxSci account against intrusion using Two Factor authentication and other methods.
Two Factor Authentication for WebMail
LuxSci has for a long time supported Two Factor authentication for its WebMail interface. After you enter your username and password successfully, a code can be texted to your phone or emailed to an alternate email address of yours. You enter this code and your are allowed into your account. To enable:
- Login to LuxSci
- Go to the “Account > My Profile > Two-Factor Authentication” page
- Choose “SMS” or “Email” and enter your phone information or alternate email address.
- If you choose “SMS”, we recommend using the “Test It” button so you can be sure that you receive the text properly before you are required to use it to login.
- Press “Save Changes”
That’s it — every login to WebMail from then on will require this second factor.
Advanced Two Factor Authentication for WebMail
The method described above is free and easy and should work for everyone. However, if you would like more bells and whistles, like:
- An app for your phone to generate passcodes or to enable 1-click verification
- Management of multiple people’s 2nd factor (e.g. if you are a company)
- Use of hardware tokens other than phones
- The ability to generate a bypass code (e.g. if you lose your phone)
- Reporting and auditing of the 2nd factor’s usage
- Using your choice of multiple phones or devices for validating access to a single account (e.g. lack of support for this is a major drawback to the new systems Twitter and others are using)
LuxSci supports integration of DuoSecurity Two Factor Authentication with LuxSci WebMail. Integration of DuoSecurity with LuxSci is free and accounts with DuoSecurity that have 10 users or less are also free with them… so if you are a small organization, you can have some pretty advanced two-factor authentication with no additional cost. If you are a little larger, they are really inexpensive.
Once you have a DuoSecurity account, you can enable use of DuoSecurity for LuxSci in your “Account > Advanced Administration > Security > DuoSecurity Two Factor” page. You can make use of DuoSecurity required for all users, or allow them to use it optionally.
Two Factor Authentication for Password Resets
Like most web sites, LuxSci has a mechanism by which users can reset their passwords themselves once they have verified their identity. LuxSci’s mechanism by default requires two factors for identity verification, any two of:
- Sending a text to a mobile number already registered in your account
- Sending an email to an alternate email address already registered in your account
- Answering a security question already defined in your account
Two-factor verification is already turned on for everyone for security reasons. Customers who want even more security can turn off self service password resets altogether — so that all password reset requests must be handled manually by your Administrator.
For more details, see: Self-Service Password Reset System.
What about non-WebMail Logins?
The Two Factor mechanisms discussed above are all for the WebMail interface; the nature of the web makes it much easier to add Two Factor authentication to it than to other things, like IMAP logins, for example.
So, while LuxSci does not have two-factor authentication for some specific things like IMAP, POP, SMTP, FTP, etc., there are several things you can do to further lock down your account.
1. Turn off services that you do not need.
If you never use POP, for example, this can be disabled for you user or your account … making it impossible for anyone to use POP to try to guess your password or gain access to your email.
2. Require use of SSL
Most of the password guessing and automated break in attempts operate by connecting to insecure POP, SMTP, or other services and trying various passwords. This is partly because it is much faster to connect without SSL and so many more passwords can be checked.
As everyone should know by now — use of insecure connections is really bad as it is possible to eavesdrop on these connections and discover your passwords and other sensitive information.
Solution: Restrict your account so that all insecure login attempts are blocked. This is done by default on all new LuxSci accounts. Older accounts may want to enable this setting on the user, domain-wide, or account-wide level to better secure themselves against both password guessing and against eavesdropping.
3. Use your Custom LuxSci Firewall
LuxSci provides all accounts with a nifty self-configurable “firewall”. You can use this to allow and deny access to some/any/all services based on IP address or range and this can be done account-wide, domain-wide, and per-user.
So, you only access IMAP from work and home? No problem, you can block access to that service from all IP addresses except those. That makes it pretty impossible for anyone to try to guess your password or even to login as you if they have.
These custom firewalls are kind of a two factor solution. If you lock down access to only certain locations, then you need your password to get in and to be in a certain place to get in.
Combine this with WebMail Two Factor, and you can use that to login to control your account and update your personal firewall as needed. E.g. say you just arrived in a hotel and have access there via Wifi. You can login (2-factor) to WebMail and enable your Hotel IP for access to your email via IMAP and SMTP. Give it a minute to kick through the system and you are on (at least while you have that IP address).
Geographic Restrictions for WebMail Logins
While you can restrict WebMail access by IP and IP Range and you can add Two-Factor authentication, restriction by IP is not always so easy. E.g. if you travel a lot and your IP addresses change a lot, then it will be hard to specify what IP addresses should be allowed in your account.
LuxSci has a solution for that as well! In your “Account > Domains > Select domain > Security > Web Interface IP Access” page, you can restrict access to WebMail for everyone in your domain based on Country and/or Region.
For example, simply restricting access to “United States” will prevent anyone with an IP address in another country from ever logging in to the WebMail Interface (just be careful to update your list if you travel).
Recommendations for Maximal Security
If you want to lock down your account as tightly as possible, here is our recommendation:
- Get an account with DuoSecurity and Integrate it with your LuxSci account
- Require all users to use DuoSecurity Two-Factor authentication to access their LuxSci WebMail Interface
- Restrict access to WebMail by IP address and/or country/region, as appropriate, so as to block any access from places where you would never be.
- Be sure that use of SSL/TLS is enforced for all access to any LuxSci service
- Turn off self-service password resets, and designate an Administrator who will help your users with password problems and verify their identities manually.
- Block access to POP, IMAP, SMTP, and FTP access using your LuxSci Firewall, so that you can only access it from specified IPs or Ranges … and show you users how to Login to Luxsci and update their personal Firewall to allow access when they are at a new location.
- Use Premium MobileSync instead of POP/SMTP for access from mobile devices. Its always secure and is allowed even if straight POP/IMAP/SMTP access are blocked from your IP — thus permitting access even as your phone’s IP address constantly changes.
Also, you could disable access to POP, IMAP, SMTP and all other services and access your services only via the Web interface if you want to remove that level of access altogether from the equation.