For example, if you access email from your iPhone, from your desktop computer with Thunderbird, and from your laptop with Thunderbird, you will end up needing 3 application passcodes.
It should be noted that Zimbra is not integrated with Duo as it is elsewhere on campus - this means that you will not receive a push notification that you can simply "accept." Instead, you will need to enter the 6-digit code manually when prompted by Zimbra during a login to webmail. If you already have the Duo Mobile app installed on your smartphone (as many Princeton folks do), it has the ability to generate these TOTP codes. In the case of Zimbra, no QR code is generated - Zimbra provides the shared secret as text that you enter "manually" into your authenticator app. Often, the shared secret is represented by a QR code that the app scans.
The codes are calculated based on the current time and a shared secret specific to your account generated by the Zimbra server and then stored in your smartphone. Authenticator ApplicationsĪs part of setting up 2FA on your Zimbra account, you will need a smartphone application to generate the 6-digit codes mentioned above. If you are using the calendar feature on applications or devices outside of webmail, the CalDAV access method also uses application passcodes. While this page generically refers to CS email, it also includes access to the Zimbra calendar via CalDAV. Additionally, to generate new application passcodes or otherwise manage one's account requires using the webmail interface which does require 2FA. This is true however, this approach is a distinct improvement over using a single, universal password. Keen-eyed readers will note that using application passcodes does not constitute 2FA. (If a person doesn't know their password, they cannot inadvertantly disclose it to a phishing site.) In the event that a given device is lost or compromised, the associated application passcode can be disabled without you having to change all your passwords on all your devices. The key to the enhanced security is that you do not commit these application passcodes to memory rather, you use the "remember password" feature of the application or device.
You will need to update the configuration of each of your applications and devices however, most will simply note that the old password is not working and prompt you for the new one. Instead, each of your applications or devices will get its own distinct "application passcode" that is generated by Zimbra.
will use the same configuration except you will not use your regular CS password.
The standard for generating the 6-digit code, TOTP: Time-Based One-Time Password Algorithm, is specified in RFC 6238.Īccess to CS email from applications such as Thunderbird, Mac Mail, Outlook, iPhone Mail, Android Mail, etc. When you login to the webmail interface, a long-lived cookie is saved by your browser so that you will not need to re-enter a code for a few weeks (up to 30 days).
For most CS users, a compatible authenticator app already exists on their smartphone. That said, other than the steps to reconfigure your account, we expect your day-to-day experience will change very little.Īccess to the Zimbra webmail interface from your desktop or laptop (to read/write email, use the Zimbra calendar, or manage your account's configuration) will continue to require your regular CS password but will also require a 6-digit code generated by an "authenticator" application. When you configure your CS Zimbra account to use 2FA, the way you access your email will change. The use of 2FA is important in limiting the negative impacts of compromised passwords. This page describes the process to configure and use Two-Factor Authentication (2FA) with the CS Department's Zimbra email service (which includes webmail, IMAP, POP, and ActiveSync access methods).