Overview
The 2-step verification adds an extra layer of security to your account by using an application on the user's smartphone to confirm their identity.
NOTE
It is possible to enable the option to force hostname for clients connected via the Kerio VPN for 2-factor authentication. For more information, refer to Configuring Hostname Settings
This type of verification protects access to Kerio Control and your LAN from the Internet with two independent steps. Users must use their credentials to authenticate and also type a special time-limited code generated by an authentication application on their phones or computers that supports RFC 6238, such as
- Google Authenticator — Available for iOS, Android;
- FreeOTP Authenticator — iOS and Android;
- Authenticator for iOS;
- WinAuth for Windows OS;
- Authy for Windows, Linux, Mac, iOS, and Android.
The 2-step verification protects all interfaces accessible from the Internet:
- Kerio Control VPN Client/IPsec VPN client
- Kerio Control Statistics
- Kerio Control Administration
Users must use the verification code every time they try to connect to the Kerio Control network from the Internet. If they select Remember me on this device, their browser remembers the connection for the next 30 days from the last connection.
Configuring the 2-step verification in Kerio Control administration
Users can set up their 2-step verification in Kerio Control Statistics themselves. For more information refer to Authenticating with 2-step verification.
As an administrator, you can also require the use of 2-step verification:
- In the administration interface, go to Domains and User Login > Security Options.
- Select Require 2-step verification.
- Select Allow remote configuration to allow users to pair their mobile device with their Kerio Control account remotely. If you disable this option, users must pair their devices from the local network only.
NOTE: The 2FA token expiration duration depicted in the above screenshot was introduced with Kerio Control 9.4. Previous versions will not have the 2FA token expiration option available. - Click Apply.
Kerio Control now starts to require the 2-step verification. Users must pair their mobile devices with their Kerio Control account. They authenticate to the Kerio Control network with their credentials and a verification code.
Important: if you disable the "Require 2-step verification" checkbox, the users will still remain with 2FA enabled.
The users can disable 2FA by themselves.
Disabling the 2-step verification for a particular user
Please note that Disabling 2-step verification with either of the below methods will not permanently disable it for a specific user.
This functionality is designed for resetting 2FA in case the mobile device is lost, so if the Kerio Control instance continues to have 2FA enabled, the user will be prompted to configure 2FA once more when they log back in.
If a user loses the mobile device associated with 2-step verification, you must disable the 2-step verification for that user account. Otherwise, the user cannot access the Kerio Control network from the Internet. There are two ways to disable 2-step verification on a user account:
Using the context menu in Users administration to disable 2-step verification
- In Kerio Control Administration, go to Users and Groups > Users.
- Right-click the user whose access you need to change.
- In the context menu, click Disable 2-step verification.
Using the More Actions button in Users administration to disable 2-step verification
- In Kerio Control Administration, go to Users and Groups > Users.
- Click the user account you want to disable 2-step verification for
- Click More Actions > Disable 2-step verification
The user can now enable 2-step verification in Kerio Control Statistics with a new mobile device.