Multifactor authentication for email

Irwin Gaines

As phishing becomes more widespread and as attackers learn to make their phishing attempts more and more devious, exposure of usernames and passwords has become one of our primary cybersecurity risks. Regardless of the efficacy of defenses we use such as Proofpoint, the fact remains that if someone is able to impersonate you through use of a stolen credential, it can jeopardize the entire laboratory.

The best way to mitigate this risk is to use multifactor authentication, or MFA. By doing so, a stolen credential alone will no longer provide access to Fermilab systems because one must also use a second factor to authenticate to these systems. We have been gradually increasing the use of MFA, which is already required for access to perform certain functions in the lab’s business and financial systems and for VPN to connect to the lab network. Next up is email.

We have had incidents in which an unauthorized user caused embarrassment to the lab by using an email account to send out large amounts of spam that appeared to be coming from a lab email address.  Recognizing this risk, DOE is in the process of requiring all DOE labs to use MFA for email.

Since email is a major component for lab communication, we recognize the importance of implementing MFA without disrupting our mission. The chosen solution will not require MFA to access email on site, since stolen credentials are typically used from remote locations, or, when accessing email over VPN, since a VPN connection already requires MFA. When reading email from off site, however, users will have to use MFA to connect to Office 365.

To make the MFA login as straightforward as possible, users will log in the same way they do today, but in addition to their Services account credentials, they will be asked to provide the one-time-password from their MFA token — either an RSA hard token, an RSA software token or possibly a YubiKey that is specially configured.  This will work with all email clients that use Exchange authentication (for example, Outlook, Outlook Web, MacMail or phones or tablets configured to work with Exchange). Email clients using older authentication protocols (typically IMAP), including some phones and tablets and Thunderbird, will be unable to use this MFA mechanism, but those clients will soon require updating anyway because Microsoft is in the process of dropping support for IMAP clients. Without updates, those clients can be used only on site or on VPN.

The project is scheduled to be completed by Apr. 30, at which time non-MFA remote access to email will no longer be available except in very short-term emergency situations in which immediate access to email is needed while the MFA credential is unavailable. For those who do not already have them, tokens will be issued starting Feb. 1, and users can start testing their clients on March 1. We will provide instructions for you at that time.

What do you need to do? If you read email only when on site or when connected by VPN, this will have no impact on you. If, even occasionally, you need to read email remotely without VPN, you need to make sure you have an MFA token and test it in your email client well before the April 30 deadline. Please bring to our attention any potential use of email clients we may not be aware of. Visit the MFA website for updates, FAQs or to ask a question.

Irwin Gaines is the Fermilab chief security information officer.