Set Up an OTP Mail?
This article describes how to set up secure access to the cyberelements platform using OTP mail.
The OTP adds a second factor to user authentication.
The principle of OTP mail is that, once users have authenticated with their login and password, an e-mail is sent containing a one-time code, which the user must enter on the portal to access the portal with their resources.
Note on the use of OTP mail
Depending on the context, OTP mail may not add strong security to user authentication.
If users log in with their AD account and must retrieve the code from a mailbox attached to their AD account, then the additional security may be minimal.
In this case, an attacker who has recovered a user’s credentials will also be able to retrieve the OTP code by connecting to the user’s mailbox.
However, OTP mail can provide additional security if:
The user logs in with a local account or with an account other than his e-mail account.
The OTP mail is sent to an address other than the one used to connect to cyberelements.
How to configure the OTP mail?
In the cyberelements console, you need to add an OTP mail. Two OTPs are available:
OTP – email: OTP to be used to connect anonymously to the SMTP server
OTP – email (Auth): OTP to be used to connect to the SMTP server using an account
⚠️ The flow starts from the mediation server, you need to:
- Authorize the flow from the mediation server if your SMTP server is on your LAN.
Both OTPs are configured in the same way; only the OTP mail authenticator adds additional fields to configure the connection account.
Step 1 - Create the OTP mail
Go to the cyberelements console and select the OTP Token Generators menu.
Add a new OTP
Select the desired OTP mail
Complete the various fields as follows:
- Name: name of the OTP; this will be visible to the user on the cloud portal
- Description: add a description visible to administrators
- OTP usable characters: list of characters that will be used to randomly generate the OTP code
- OTP Length: number of characters in the OTP code
- Validity period of a token (seconds): duration in seconds for the OTP code to be entered by the user before the code is no longer valid
- Message before the OTP: allows to customize the message in the body of the mail just before the OTP code is added
- SMTP Server: address of the SMTP server, perhaps an IP or a DNS name; if no port is defined, port 25 will be used implicitly
- Sender: e-mail address of the e-mail sender
- Start TLS: enable or disable the start of TLS
- ID (specific to OTP mail authenticator): username to connect to SMTP server
- Password (specific to OTP mail authenticator): password for SMTP server connection account
- Mail subject: customization of the e-mail subject
Step 2 - Assign an OTP mail to a domain
⚠️ Adding an MFA is only possible at a domain level, regardless of the user who connects to that domain.
Your new OTP mail token can be assigned to the domain of your choice in the domain settings:
The available options:
- Authentication Tokens: select the MFA to be applied to the domain
- User attribute used to send the OTP: name of the user attribute from which Cleanroom will retrieve the user’s e-mail address
- Token Expiration Time: number of days before the OTP expires.