Implementation of strong multi-factor authentication on our customer interface

Always mindful of our customers’ needs and the security of our systems, your Altospam interface for managing your domains and their e-mail flows supports strong multi-factor authentication.

Nevertheless, the use of passwords has certain limitations. Users often apply the same password to several systems. The vulnerability of these other sites or programs jeopardizes password security wherever it is used. What’s more, depending on the security policy imposed by the company, passwords are regularly exchanged or present on shared spaces.

Why do I need strong multi-factor authentication?

Finally, even if stored correctly via the browser or a secure password manager, the storage of this password is intrinsically part of the company’s information system data. It can therefore be compromised if the system falls victim to a global cyber attack (internal interception, keylogger, etc.).

Like most systems requiring clear recognition of the current user, our interfaces use the classic “User ID / Password” pair to authenticate connections. It’s a robust, secure system that’s familiar to all users. Passwords are stored on our systems in the form of cryptographic fingerprints (never in clear text), so there is no risk of hacking or information retrieval.

What is multi-factor authentication (MFA)?

Whether it’s called double authentication, two-factor authentication (2FA) or multi-factor authentication (MFA), this method requires the user to present two distinct proofs of identity in order to validate access.

The first is typically the “User ID/Password” pair, and the second a unique code, ideally accessible on separate IT equipment outside the company’s information system (SMS, phone application, USB key, smart card, etc.). This is to reduce the risks in the event of loss, theft or piracy of one of the two items of equipment concerned.

What is strong authentication?

ANSSI (Agence Nationale de Sécurité des Systèmes d’Informations) recommends the use of strong authentication, i.e. based on a cryptographic mechanism whose parameters and security are deemed robust. They often exploit a “challenge/response” mechanism: the server requesting authentication issues a request that the person must validate by transmitting a code calculated from a cryptographic signature.

This method protects against cyber-attacks such as interception (“man-in-the-middle” or MITM), dictionary or brute-force attacks, as well as social engineering attacks that could steal a password, but not a cryptographically generated temporary code.

Altospam’s solution

For this dual authentication, we opted to implement the TOTP protocol (Time based One Time Password defined by RFC 6238 – https://www.rfc-editor.org/rfc/rfc6238). This means we meet both ANSSI recommendations for multi-factor and strong authentication.

When activated, this system will request synchronization with an application on your phone. There are many compatible applications, including Google Authenticator (android, iOS), Microsoft Authenticator (Windows Phone), FreeOTP (android, iOS), Aegis (android), Authy (android, iOS) or OTP Auth (iOS).

When an attempt is made to connect to our customer interface, after the password has been validated, the algorithm included in TOTP will generate a unique, temporary code required for connection. The TOTP application synchronized on the phone will generate a corresponding code, and validation of this code in the interface will enable authentication. These codes have a short validity period, ensuring that they cannot be re-used at a later date.

For simplicity’s sake, we’ve added a “remember device” option, allowing reconnection without the need for systematic double validation. This option is valid for one month or until the account is manually disconnected.

What’s more, when you activate double authentication, you’ll be prompted to register a series of recovery codes. These codes will enable you to recover your account if you lose access to the phone or the TOTP application. They should be kept in a secure place, separate from the two usual authentication systems.

How do I set up this authentication on my Altospam administration account?

To set up multi-factor authentication, go to the Altospam customer interface. Click on your account name at the top right of the page, then “Security” and choose “Enable multi-factor authentication”. A QR code enables automatic synchronization with the chosen client software. It will then present a code that validates the activation of authentication at the interface level. It will be activated immediately, and you can test its operation by logging out to initiate a new connection, secured by strong multi-factor authentication.

If you have any questions about setting up multi-factor authentication, don’t hesitate to contact our team by phone on 0825.950.038* or by email support@altospam.com

VSEs, SMEs, ETIs, associations or local authorities? Contact Altospam for a free trial of our Altospam solution and discover our anti-phishing, anti-ransomware, anti-spam, anti-spearphishing… solutions.

Test Altospam’s solutions!

Thousands of companies, CTOs, CIOs, CISOs and IT managers already trust us to protect their e-mail against phishing, spear phishing, ransomware, …