Configuring 2-step verification

The 2-step verification adds an extra layer of security to your account by using an application on the user's smartphone to confirm their identity.

This type of verification protects access to Kerio Control and your LANLocal area network - A network that connects computers and other devices in a small area. from the Internet with two independent steps. Users must use their credentials to authenticate and also type a special time-limited code generated by an authentication application on their phones or computers that supports RFC 6238, such as

• Google Authenticator — Available for iOS, Android and Windows Phone
• FreeOTP Authenticator — Available for iOS and Android (https://fedorahosted.org/)
• Authenticator for iOS (http://mattrubin.me/)
• Authenticator for Windows Phone (http://www.windowsphone.com/)
• WinAuth for Windows OS (https://winauth.com/)

The 2-step verification protects all interfaces accessible from the Internet:

• Kerio Control VPN Client/IPsecInternet Protocol security - A network protocol used to encrypt and secure data sent over a network. VPN client
• Kerio Control Statistics
• Kerio Control Administration

Users must use the verification code every time they try to connect to the Kerio Control network from the Internet. If they select Remember me on this device, their browser remembers the connection until the expiry time (in days) configured by the administrator.

Configuring the 2-step verification in Kerio Control Administration

Users can set up their 2-step verification in Kerio Control Statistics themselves. For more information refer to Authenticating with 2-step verification.

As an administrator, you can also require the use of 2-step verification:

1. In the administration interface, go to Domains and User Login > Security Options.
2. Select Require 2-step verification.

   

3. Select Allow remote configuration to allow users to pair their mobile device with their Kerio Control account remotely. If you disable this option, users must pair their devices from the local network only.
4. Add a value against the “2-step verification will expire in” field to set up a token expiration timeframe. Users will be forced to re-enter the authentication code after <configured_value> days. Note: If you set the value to 0 days, users will be required to enter the 2FA code at each login.
5. Click Apply.

Kerio Control now starts to require the 2-step verification. Users must pair their mobile devices with their Kerio Control account. They authenticate to the Kerio Control network with their credentials and a verification code.

Disabling the 2-step verification for a particular user

If a user loses the mobile device associated with 2-step verification, you must disable the 2-step verification for that user account. Otherwise, the user cannot access the Kerio Control network from the Internet. There are two ways to disable 2-step verification on a user account:

Using the context menu in Users administration to disable 2-step verification

1. In Kerio Control Administration, go to Users and Groups > Users.
2. Right-click the user whose access you need to change.
3. In the context menu, click Disable 2-step verification.

The context menu displayed in the Users administration panel.

Using the More Actions button in Users administration to disable 2-step verification

1. In Kerio Control Administration, go to Users and Groups > Users.
2. Click the user account you want to disable 2-step verification for
3. Click More Actions > Disable 2-step verification

The user can now enable 2-step verification in Kerio Control Statistics with a new mobile device.

Enabling the 2-step verification in Kerio Control Statistics

Users can enable the 2-step verification in their account in Kerio Control Statistics. For more information refer to Authenticating with 2-step verification.