mailcow-dockerized-docs/en/manual-guides/mailcow-UI/u_e-mailcow_ui-tfa/index.html

2777 Zeilen
70 KiB
HTML

<!doctype html>
<html lang="en" class="no-js">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<link rel="canonical" href="https://mailcow.github.io/mailcow-dockerized-docs/en/manual-guides/mailcow-UI/u_e-mailcow_ui-tfa/">
<link rel="icon" href="../../../../assets/images/favicon.png">
<meta name="generator" content="mkdocs-1.3.0, mkdocs-material-8.3.6">
<title>Two-Factor Authentication - mailcow: dockerized documentation</title>
<link rel="stylesheet" href="../../../../assets/stylesheets/main.4a0965b7.min.css">
<link rel="stylesheet" href="../../../../assets/stylesheets/palette.cbb835fc.min.css">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback">
<style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style>
<link rel="stylesheet" href="../../../../assets/stylesheets/extra.css">
<script>__md_scope=new URL("../../../..",location),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script>
</head>
<body dir="ltr" data-md-color-scheme="default" data-md-color-primary="" data-md-color-accent="">
<script>var palette=__md_get("__palette");if(palette&&"object"==typeof palette.color)for(var key of Object.keys(palette.color))document.body.setAttribute("data-md-color-"+key,palette.color[key])</script>
<input class="md-toggle" data-md-toggle="drawer" type="checkbox" id="__drawer" autocomplete="off">
<input class="md-toggle" data-md-toggle="search" type="checkbox" id="__search" autocomplete="off">
<label class="md-overlay" for="__drawer"></label>
<div data-md-component="skip">
<a href="#yubi-otp" class="md-skip">
Skip to content
</a>
</div>
<div data-md-component="announce">
</div>
<header class="md-header" data-md-component="header">
<nav class="md-header__inner md-grid" aria-label="Header">
<a href="../../../.." title="mailcow: dockerized documentation" class="md-header__button md-logo" aria-label="mailcow: dockerized documentation" data-md-component="logo">
<img src="../../../../assets/images/logo.svg" alt="logo">
</a>
<label class="md-header__button md-icon" for="__drawer">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M3 6h18v2H3V6m0 5h18v2H3v-2m0 5h18v2H3v-2Z"/></svg>
</label>
<div class="md-header__title" data-md-component="header-title">
<div class="md-header__ellipsis">
<div class="md-header__topic">
<span class="md-ellipsis">
mailcow: dockerized documentation
</span>
</div>
<div class="md-header__topic" data-md-component="header-topic">
<span class="md-ellipsis">
Two-Factor Authentication
</span>
</div>
</div>
</div>
<form class="md-header__option" data-md-component="palette">
<input class="md-option" data-md-color-media="" data-md-color-scheme="default" data-md-color-primary="" data-md-color-accent="" aria-label="Dark Mode" type="radio" name="__palette" id="__palette_1">
<label class="md-header__button md-icon" title="Dark Mode" for="__palette_2" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M17 6H7c-3.31 0-6 2.69-6 6s2.69 6 6 6h10c3.31 0 6-2.69 6-6s-2.69-6-6-6zm0 10H7c-2.21 0-4-1.79-4-4s1.79-4 4-4h10c2.21 0 4 1.79 4 4s-1.79 4-4 4zM7 9c-1.66 0-3 1.34-3 3s1.34 3 3 3 3-1.34 3-3-1.34-3-3-3z"/></svg>
</label>
<input class="md-option" data-md-color-media="" data-md-color-scheme="slate" data-md-color-primary="" data-md-color-accent="" aria-label="Light Mode" type="radio" name="__palette" id="__palette_2">
<label class="md-header__button md-icon" title="Light Mode" for="__palette_1" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M17 7H7a5 5 0 0 0-5 5 5 5 0 0 0 5 5h10a5 5 0 0 0 5-5 5 5 0 0 0-5-5m0 8a3 3 0 0 1-3-3 3 3 0 0 1 3-3 3 3 0 0 1 3 3 3 3 0 0 1-3 3Z"/></svg>
</label>
</form>
<div class="md-header__option">
<div class="md-select">
<button class="md-header__button md-icon" aria-label="Select language">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="m12.87 15.07-2.54-2.51.03-.03A17.52 17.52 0 0 0 14.07 6H17V4h-7V2H8v2H1v2h11.17C11.5 7.92 10.44 9.75 9 11.35 8.07 10.32 7.3 9.19 6.69 8h-2c.73 1.63 1.73 3.17 2.98 4.56l-5.09 5.02L4 19l5-5 3.11 3.11.76-2.04M18.5 10h-2L12 22h2l1.12-3h4.75L21 22h2l-4.5-12m-2.62 7 1.62-4.33L19.12 17h-3.24Z"/></svg>
</button>
<div class="md-select__inner">
<ul class="md-select__list">
<li class="md-select__item">
<a href="../../../../manual-guides/mailcow-UI/u_e-mailcow_ui-tfa/" hreflang="en" class="md-select__link">
English
</a>
</li>
<li class="md-select__item">
<a href="../../../../de/manual-guides/mailcow-UI/u_e-mailcow_ui-tfa/" hreflang="de" class="md-select__link">
Deutsch
</a>
</li>
</ul>
</div>
</div>
</div>
<label class="md-header__button md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
</label>
<div class="md-search" data-md-component="search" role="dialog">
<label class="md-search__overlay" for="__search"></label>
<div class="md-search__inner" role="search">
<form class="md-search__form" name="search">
<input type="text" class="md-search__input" name="query" aria-label="Search" placeholder="Search" autocapitalize="off" autocorrect="off" autocomplete="off" spellcheck="false" data-md-component="search-query" required>
<label class="md-search__icon md-icon" for="__search">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.516 6.516 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5Z"/></svg>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg>
</label>
<nav class="md-search__options" aria-label="Search">
<button type="reset" class="md-search__icon md-icon" aria-label="Clear" tabindex="-1">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"/></svg>
</button>
</nav>
</form>
<div class="md-search__output">
<div class="md-search__scrollwrap" data-md-scrollfix>
<div class="md-search-result" data-md-component="search-result">
<div class="md-search-result__meta">
Initializing search
</div>
<ol class="md-search-result__list"></ol>
</div>
</div>
</div>
</div>
</div>
<div class="md-header__source">
<a href="https://github.com/mailcow/mailcow-dockerized" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.1.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2022 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
mailcow/mailcow-dockerized
</div>
</a>
</div>
</nav>
</header>
<div class="md-container" data-md-component="container">
<main class="md-main" data-md-component="main">
<div class="md-main__inner md-grid">
<div class="md-sidebar md-sidebar--primary" data-md-component="sidebar" data-md-type="navigation" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--primary" aria-label="Navigation" data-md-level="0">
<label class="md-nav__title" for="__drawer">
<a href="../../../.." title="mailcow: dockerized documentation" class="md-nav__button md-logo" aria-label="mailcow: dockerized documentation" data-md-component="logo">
<img src="../../../../assets/images/logo.svg" alt="logo">
</a>
mailcow: dockerized documentation
</label>
<div class="md-nav__source">
<a href="https://github.com/mailcow/mailcow-dockerized" title="Go to repository" class="md-source" data-md-component="source">
<div class="md-source__icon md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 448 512"><!--! Font Awesome Free 6.1.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2022 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81z"/></svg>
</div>
<div class="md-source__repository">
mailcow/mailcow-dockerized
</div>
</a>
</div>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../" class="md-nav__link">
Information & Support
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_2" type="checkbox" id="__nav_2" >
<label class="md-nav__link" for="__nav_2">
Prerequisites
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Prerequisites" data-md-level="1">
<label class="md-nav__title" for="__nav_2">
<span class="md-nav__icon md-icon"></span>
Prerequisites
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../prerequisite/prerequisite-system/" class="md-nav__link">
Prepare your system
</a>
</li>
<li class="md-nav__item">
<a href="../../../prerequisite/prerequisite-dns/" class="md-nav__link">
DNS setup
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_3" type="checkbox" id="__nav_3" >
<label class="md-nav__link" for="__nav_3">
Installation, Update & Migration
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Installation, Update & Migration" data-md-level="1">
<label class="md-nav__title" for="__nav_3">
<span class="md-nav__icon md-icon"></span>
Installation, Update & Migration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../i_u_m/i_u_m_install/" class="md-nav__link">
Installation
</a>
</li>
<li class="md-nav__item">
<a href="../../../i_u_m/i_u_m_update/" class="md-nav__link">
Update
</a>
</li>
<li class="md-nav__item">
<a href="../../../i_u_m/i_u_m_migration/" class="md-nav__link">
Migration
</a>
</li>
<li class="md-nav__item">
<a href="../../../i_u_m/i_u_m_deinstall/" class="md-nav__link">
Deinstallation
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_4" type="checkbox" id="__nav_4" >
<label class="md-nav__link" for="__nav_4">
Post Installation Tasks
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Post Installation Tasks" data-md-level="1">
<label class="md-nav__title" for="__nav_4">
<span class="md-nav__icon md-icon"></span>
Post Installation Tasks
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../post_installation/firststeps-ssl/" class="md-nav__link">
Advanced SSL
</a>
</li>
<li class="md-nav__item">
<a href="../../../post_installation/firststeps-disable_ipv6/" class="md-nav__link">
Disable IPv6
</a>
</li>
<li class="md-nav__item">
<a href="../../../post_installation/firststeps-dmarc_reporting/" class="md-nav__link">
DMARC Reporting
</a>
</li>
<li class="md-nav__item">
<a href="../../../post_installation/firststeps-ip_bindings/" class="md-nav__link">
IP bindings
</a>
</li>
<li class="md-nav__item">
<a href="../../../post_installation/firststeps-local_mta/" class="md-nav__link">
Local MTA on Docker host
</a>
</li>
<li class="md-nav__item">
<a href="../../../post_installation/firststeps-logging/" class="md-nav__link">
Logging
</a>
</li>
<li class="md-nav__item">
<a href="../../../post_installation/firststeps-rp/" class="md-nav__link">
Reverse Proxy
</a>
</li>
<li class="md-nav__item">
<a href="../../../post_installation/firststeps-rspamd_ui/" class="md-nav__link">
Rspamd UI
</a>
</li>
<li class="md-nav__item">
<a href="../../../post_installation/firststeps-snat/" class="md-nav__link">
SNAT
</a>
</li>
<li class="md-nav__item">
<a href="../../../post_installation/firststeps-sync_jobs_migration/" class="md-nav__link">
Sync job migration
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_5" type="checkbox" id="__nav_5" >
<label class="md-nav__link" for="__nav_5">
Models
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Models" data-md-level="1">
<label class="md-nav__title" for="__nav_5">
<span class="md-nav__icon md-icon"></span>
Models
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../models/model-acl/" class="md-nav__link">
ACL
</a>
</li>
<li class="md-nav__item">
<a href="../../../models/model-passwd/" class="md-nav__link">
Password hashing
</a>
</li>
<li class="md-nav__item">
<a href="../../../models/model-sender_rcv/" class="md-nav__link">
Sender and receiver model
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_6" type="checkbox" id="__nav_6" >
<label class="md-nav__link" for="__nav_6">
General Troubleshooting
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="General Troubleshooting" data-md-level="1">
<label class="md-nav__title" for="__nav_6">
<span class="md-nav__icon md-icon"></span>
General Troubleshooting
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../troubleshooting/debug/" class="md-nav__link">
Introduction
</a>
</li>
<li class="md-nav__item">
<a href="../../../troubleshooting/debug-admin_login_sogo/" class="md-nav__link">
Admin login to SOGo
</a>
</li>
<li class="md-nav__item">
<a href="../../../troubleshooting/debug-rspamd_memory_leaks/" class="md-nav__link">
Advanced: Find memory leaks in Rspamd
</a>
</li>
<li class="md-nav__item">
<a href="../../../troubleshooting/debug-attach_service/" class="md-nav__link">
Attach to a Container
</a>
</li>
<li class="md-nav__item">
<a href="../../../troubleshooting/debug-common_problems/" class="md-nav__link">
Common Problems
</a>
</li>
<li class="md-nav__item">
<a href="../../../troubleshooting/debug-logs/" class="md-nav__link">
Logs
</a>
</li>
<li class="md-nav__item">
<a href="../../../troubleshooting/debug-mysql_upgrade/" class="md-nav__link">
Manual MySQL upgrade
</a>
</li>
<li class="md-nav__item">
<a href="../../../troubleshooting/debug-mysql_aria/" class="md-nav__link">
Recover crashed Aria storage engine
</a>
</li>
<li class="md-nav__item">
<a href="../../../troubleshooting/debug-rm_volumes/" class="md-nav__link">
Remove Persistent Data
</a>
</li>
<li class="md-nav__item">
<a href="../../../troubleshooting/debug-reset_pw/" class="md-nav__link">
Reset Passwords (incl. SQL)
</a>
</li>
<li class="md-nav__item">
<a href="../../../troubleshooting/debug-reset_tls/" class="md-nav__link">
Reset TLS certificates
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_7" type="checkbox" id="__nav_7" >
<label class="md-nav__link" for="__nav_7">
Backup & Restore
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Backup & Restore" data-md-level="1">
<label class="md-nav__title" for="__nav_7">
<span class="md-nav__icon md-icon"></span>
Backup & Restore
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_7_1" type="checkbox" id="__nav_7_1" >
<label class="md-nav__link" for="__nav_7_1">
Component backup & restore
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Component backup & restore" data-md-level="2">
<label class="md-nav__title" for="__nav_7_1">
<span class="md-nav__icon md-icon"></span>
Component backup & restore
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../backup_restore/b_n_r-backup/" class="md-nav__link">
Backup
</a>
</li>
<li class="md-nav__item">
<a href="../../../backup_restore/b_n_r-restore/" class="md-nav__link">
Restore
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../../backup_restore/b_n_r-coldstandby/" class="md-nav__link">
Cold-standby (rolling backup)
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_7_3" type="checkbox" id="__nav_7_3" >
<label class="md-nav__link" for="__nav_7_3">
Manual backups
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Manual backups" data-md-level="2">
<label class="md-nav__title" for="__nav_7_3">
<span class="md-nav__icon md-icon"></span>
Manual backups
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../backup_restore/b_n_r-backup_restore-maildir/" class="md-nav__link">
Maildir
</a>
</li>
<li class="md-nav__item">
<a href="../../../backup_restore/b_n_r-backup_restore-mysql/" class="md-nav__link">
MySQL (mysqldump)
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_7_4" type="checkbox" id="__nav_7_4" >
<label class="md-nav__link" for="__nav_7_4">
mailcow-internal backups
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="mailcow-internal backups" data-md-level="2">
<label class="md-nav__title" for="__nav_7_4">
<span class="md-nav__icon md-icon"></span>
mailcow-internal backups
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../backup_restore/b_n_r-accidental_deletion/" class="md-nav__link">
Recover accidentally deleted data
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_8" type="checkbox" id="__nav_8" checked>
<label class="md-nav__link" for="__nav_8">
Manual/Guides/Examples
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Manual/Guides/Examples" data-md-level="1">
<label class="md-nav__title" for="__nav_8">
<span class="md-nav__icon md-icon"></span>
Manual/Guides/Examples
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item md-nav__item--active md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_8_1" type="checkbox" id="__nav_8_1" checked>
<label class="md-nav__link" for="__nav_8_1">
mailcow UI
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="mailcow UI" data-md-level="2">
<label class="md-nav__title" for="__nav_8_1">
<span class="md-nav__icon md-icon"></span>
mailcow UI
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../u_e-mailcow_ui-bl_wl/" class="md-nav__link">
Blacklist / Whitelist
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-mailcow_ui-config/" class="md-nav__link">
Configuration
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-mailcow_ui-css/" class="md-nav__link">
CSS overrides
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-mailcow_ui-netfilter/" class="md-nav__link">
Netfilter
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-mailcow_ui-pushover/" class="md-nav__link">
Pushover
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-mailcow_ui-spamfilter/" class="md-nav__link">
Spamfilter
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-mailcow_ui-sub_addressing/" class="md-nav__link">
Sub-addressing
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-mailcow_ui-tags/" class="md-nav__link">
Tags (for Domains and Mailboxes)
</a>
</li>
<li class="md-nav__item">
<a href="../u_e-mailcow_ui-spamalias/" class="md-nav__link">
Temporary email aliases
</a>
</li>
<li class="md-nav__item md-nav__item--active">
<input class="md-nav__toggle md-toggle" data-md-toggle="toc" type="checkbox" id="__toc">
<label class="md-nav__link md-nav__link--active" for="__toc">
Two-Factor Authentication
<span class="md-nav__icon md-icon"></span>
</label>
<a href="./" class="md-nav__link md-nav__link--active">
Two-Factor Authentication
</a>
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#yubi-otp" class="md-nav__link">
Yubi OTP
</a>
<nav class="md-nav" aria-label="Yubi OTP">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#example-setup" class="md-nav__link">
Example setup
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#webauthn-u2f-replacement" class="md-nav__link">
WebAuthn (U2F, replacement)
</a>
<nav class="md-nav" aria-label="WebAuthn (U2F, replacement)">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#what-will-happen-to-my-registered-fido-security-key-after-the-update-from-u2f-to-webauthn" class="md-nav__link">
What will happen to my registered Fido Security Key after the Update from U2F to WebAuthn?
</a>
</li>
<li class="md-nav__item">
<a href="#disable-unofficial-supported-fido-security-keys" class="md-nav__link">
Disable unofficial supported Fido Security Keys
</a>
<nav class="md-nav" aria-label="Disable unofficial supported Fido Security Keys">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#example" class="md-nav__link">
Example:
</a>
</li>
<li class="md-nav__item">
<a href="#use-own-certificates-for-webauthn" class="md-nav__link">
Use own certificates for WebAuthn
</a>
</li>
<li class="md-nav__item">
<a href="#is-it-dangerous-to-keep-the-vendor-check-disabled" class="md-nav__link">
Is it dangerous to keep the Vendor Check disabled?
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#totp" class="md-nav__link">
TOTP
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../u_e-mailcow_ui-fido/" class="md-nav__link">
WebAuthn / FIDO2
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_8_2" type="checkbox" id="__nav_8_2" >
<label class="md-nav__link" for="__nav_8_2">
Postfix
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Postfix" data-md-level="2">
<label class="md-nav__title" for="__nav_8_2">
<span class="md-nav__icon md-icon"></span>
Postfix
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Postfix/u_e-postfix-trust_networks/" class="md-nav__link">
Add trusted networks
</a>
</li>
<li class="md-nav__item">
<a href="../../Postfix/u_e-postfix-custom_transport/" class="md-nav__link">
Custom transport maps
</a>
</li>
<li class="md-nav__item">
<a href="../../Postfix/u_e-postfix-extra_cf/" class="md-nav__link">
Customize/Expand main.cf
</a>
</li>
<li class="md-nav__item">
<a href="../../Postfix/u_e-postfix-disable_sender_verification/" class="md-nav__link">
Disable Sender Addresses Verification
</a>
</li>
<li class="md-nav__item">
<a href="../../Postfix/u_e-postfix-attachment_size/" class="md-nav__link">
Max. message size (attachment size)
</a>
</li>
<li class="md-nav__item">
<a href="../../Postfix/u_e-postfix-relayhost/" class="md-nav__link">
Relayhosts
</a>
</li>
<li class="md-nav__item">
<a href="../../Postfix/u_e-postfix-pflogsumm/" class="md-nav__link">
Statistics with pflogsumm
</a>
</li>
<li class="md-nav__item">
<a href="../../Postfix/u_e-postfix-postscreen_whitelist/" class="md-nav__link">
Whitelist IP in Postscreen
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_8_3" type="checkbox" id="__nav_8_3" >
<label class="md-nav__link" for="__nav_8_3">
Unbound
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Unbound" data-md-level="2">
<label class="md-nav__title" for="__nav_8_3">
<span class="md-nav__icon md-icon"></span>
Unbound
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Unbound/u_e-unbound-fwd/" class="md-nav__link">
Using an external DNS service
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_8_4" type="checkbox" id="__nav_8_4" >
<label class="md-nav__link" for="__nav_8_4">
Dovecot
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Dovecot" data-md-level="2">
<label class="md-nav__title" for="__nav_8_4">
<span class="md-nav__icon md-icon"></span>
Dovecot
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Dovecot/u_e-dovecot-extra_conf/" class="md-nav__link">
Customize/Expand dovecot.conf
</a>
</li>
<li class="md-nav__item">
<a href="../../Dovecot/u_e-dovecot-any_acl/" class="md-nav__link">
Enable "any" ACL settings
</a>
</li>
<li class="md-nav__item">
<a href="../../Dovecot/u_e-dovecot-expunge/" class="md-nav__link">
Expunge a Users mails
</a>
</li>
<li class="md-nav__item">
<a href="../../Dovecot/u_e-dovecot-fts/" class="md-nav__link">
FTS (Solr)
</a>
</li>
<li class="md-nav__item">
<a href="../../Dovecot/u_e-dovecot-idle_interval/" class="md-nav__link">
IMAP IDLE interval
</a>
</li>
<li class="md-nav__item">
<a href="../../Dovecot/u_e-dovecot-mail-crypt/" class="md-nav__link">
Mail crypt
</a>
</li>
<li class="md-nav__item">
<a href="../../Dovecot/u_e-dovecot-more/" class="md-nav__link">
More Examples with DOVEADM
</a>
</li>
<li class="md-nav__item">
<a href="../../Dovecot/u_e-dovecot-vmail-volume/" class="md-nav__link">
Move Maildir (vmail)
</a>
</li>
<li class="md-nav__item">
<a href="../../Dovecot/u_e-dovecot-public_folder/" class="md-nav__link">
Public folders
</a>
</li>
<li class="md-nav__item">
<a href="../../Dovecot/u_e-dovecot-static_master/" class="md-nav__link">
Static master user
</a>
</li>
<li class="md-nav__item">
<a href="../../Dovecot/u_e-dovecot-catchall_vacation/" class="md-nav__link">
Vacation replies for catchall addresses
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_8_5" type="checkbox" id="__nav_8_5" >
<label class="md-nav__link" for="__nav_8_5">
Nginx
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Nginx" data-md-level="2">
<label class="md-nav__title" for="__nav_8_5">
<span class="md-nav__icon md-icon"></span>
Nginx
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Nginx/u_e-nginx_webmail-site/" class="md-nav__link">
Create subdomain webmail.example.org
</a>
</li>
<li class="md-nav__item">
<a href="../../Nginx/u_e-nginx_custom/" class="md-nav__link">
Custom sites
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_8_6" type="checkbox" id="__nav_8_6" >
<label class="md-nav__link" for="__nav_8_6">
Watchdog
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Watchdog" data-md-level="2">
<label class="md-nav__title" for="__nav_8_6">
<span class="md-nav__icon md-icon"></span>
Watchdog
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Watchdog/u_e-watchdog-thresholds/" class="md-nav__link">
Thresholds
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../Redis/u_e-redis/" class="md-nav__link">
Redis
</a>
</li>
<li class="md-nav__item">
<a href="../../Rspamd/u_e-rspamd/" class="md-nav__link">
Rspamd
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_8_9" type="checkbox" id="__nav_8_9" >
<label class="md-nav__link" for="__nav_8_9">
ClamAV
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="ClamAV" data-md-level="2">
<label class="md-nav__title" for="__nav_8_9">
<span class="md-nav__icon md-icon"></span>
ClamAV
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../ClamAV/u_e-clamav-whitelist/" class="md-nav__link">
Whitelist
</a>
</li>
<li class="md-nav__item">
<a href="../../ClamAV/u_e-clamav-additional_dbs/" class="md-nav__link">
Additional Databases
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../SOGo/u_e-sogo/" class="md-nav__link">
SOGo
</a>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_8_11" type="checkbox" id="__nav_8_11" >
<label class="md-nav__link" for="__nav_8_11">
Docker
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Docker" data-md-level="2">
<label class="md-nav__title" for="__nav_8_11">
<span class="md-nav__icon md-icon"></span>
Docker
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../Docker/u_e-docker-cust_dockerfiles/" class="md-nav__link">
Customize Dockerfiles
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="../../u_e-why_unbound/" class="md-nav__link">
Why unbound?
</a>
</li>
<li class="md-nav__item">
<a href="../../u_e-autodiscover_config/" class="md-nav__link">
Autodiscover / Autoconfig
</a>
</li>
<li class="md-nav__item">
<a href="../../u_e-80_to_443/" class="md-nav__link">
Redirect HTTP to HTTPS
</a>
</li>
<li class="md-nav__item">
<a href="../../u_e-reeanble-weak-protocols/" class="md-nav__link">
Re-enable TLS 1.0 and TLS 1.1
</a>
</li>
<li class="md-nav__item">
<a href="../../u_e-update-hooks/" class="md-nav__link">
Run scripts before and after updates
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_9" type="checkbox" id="__nav_9" >
<label class="md-nav__link" for="__nav_9">
Client Configuration
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Client Configuration" data-md-level="1">
<label class="md-nav__title" for="__nav_9">
<span class="md-nav__icon md-icon"></span>
Client Configuration
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../client/client/" class="md-nav__link">
Overview
</a>
</li>
<li class="md-nav__item">
<a href="../../../client/client-android/" class="md-nav__link">
Android
</a>
</li>
<li class="md-nav__item">
<a href="../../../client/client-apple/" class="md-nav__link">
Apple macOS / iOS
</a>
</li>
<li class="md-nav__item">
<a href="../../../client/client-emclient/" class="md-nav__link">
eM Client
</a>
</li>
<li class="md-nav__item">
<a href="../../../client/client-kontact/" class="md-nav__link">
KDE Kontact
</a>
</li>
<li class="md-nav__item">
<a href="../../../client/client-outlook/" class="md-nav__link">
Microsoft Outlook
</a>
</li>
<li class="md-nav__item">
<a href="../../../client/client-thunderbird/" class="md-nav__link">
Mozilla Thunderbird
</a>
</li>
<li class="md-nav__item">
<a href="../../../client/client-windows/" class="md-nav__link">
Windows Mail
</a>
</li>
<li class="md-nav__item">
<a href="../../../client/client-manual/" class="md-nav__link">
Manual configuration
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item md-nav__item--nested">
<input class="md-nav__toggle md-toggle" data-md-toggle="__nav_10" type="checkbox" id="__nav_10" >
<label class="md-nav__link" for="__nav_10">
Third party apps
<span class="md-nav__icon md-icon"></span>
</label>
<nav class="md-nav" aria-label="Third party apps" data-md-level="1">
<label class="md-nav__title" for="__nav_10">
<span class="md-nav__icon md-icon"></span>
Third party apps
</label>
<ul class="md-nav__list" data-md-scrollfix>
<li class="md-nav__item">
<a href="../../../third_party/third_party-borgmatic/" class="md-nav__link">
Borgmatic Backup
</a>
</li>
<li class="md-nav__item">
<a href="../../../third_party/third_party-exchange_onprem/" class="md-nav__link">
Exchange Hybrid Setup
</a>
</li>
<li class="md-nav__item">
<a href="../../../third_party/third_party-gitea/" class="md-nav__link">
Gitea
</a>
</li>
<li class="md-nav__item">
<a href="../../../third_party/third_party-gogs/" class="md-nav__link">
Gogs
</a>
</li>
<li class="md-nav__item">
<a href="../../../third_party/third_party-mailman3/" class="md-nav__link">
Mailman 3
</a>
</li>
<li class="md-nav__item">
<a href="../../../third_party/third_party-mailpiler_integration/" class="md-nav__link">
Mailpiler Integration
</a>
</li>
<li class="md-nav__item">
<a href="../../../third_party/third_party-nextcloud/" class="md-nav__link">
Nextcloud
</a>
</li>
<li class="md-nav__item">
<a href="../../../third_party/third_party-portainer/" class="md-nav__link">
Portainer
</a>
</li>
<li class="md-nav__item">
<a href="../../../third_party/third_party-roundcube/" class="md-nav__link">
Roundcube
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-sidebar md-sidebar--secondary" data-md-component="sidebar" data-md-type="toc" >
<div class="md-sidebar__scrollwrap">
<div class="md-sidebar__inner">
<nav class="md-nav md-nav--secondary" aria-label="Table of contents">
<label class="md-nav__title" for="__toc">
<span class="md-nav__icon md-icon"></span>
Table of contents
</label>
<ul class="md-nav__list" data-md-component="toc" data-md-scrollfix>
<li class="md-nav__item">
<a href="#yubi-otp" class="md-nav__link">
Yubi OTP
</a>
<nav class="md-nav" aria-label="Yubi OTP">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#example-setup" class="md-nav__link">
Example setup
</a>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#webauthn-u2f-replacement" class="md-nav__link">
WebAuthn (U2F, replacement)
</a>
<nav class="md-nav" aria-label="WebAuthn (U2F, replacement)">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#what-will-happen-to-my-registered-fido-security-key-after-the-update-from-u2f-to-webauthn" class="md-nav__link">
What will happen to my registered Fido Security Key after the Update from U2F to WebAuthn?
</a>
</li>
<li class="md-nav__item">
<a href="#disable-unofficial-supported-fido-security-keys" class="md-nav__link">
Disable unofficial supported Fido Security Keys
</a>
<nav class="md-nav" aria-label="Disable unofficial supported Fido Security Keys">
<ul class="md-nav__list">
<li class="md-nav__item">
<a href="#example" class="md-nav__link">
Example:
</a>
</li>
<li class="md-nav__item">
<a href="#use-own-certificates-for-webauthn" class="md-nav__link">
Use own certificates for WebAuthn
</a>
</li>
<li class="md-nav__item">
<a href="#is-it-dangerous-to-keep-the-vendor-check-disabled" class="md-nav__link">
Is it dangerous to keep the Vendor Check disabled?
</a>
</li>
</ul>
</nav>
</li>
</ul>
</nav>
</li>
<li class="md-nav__item">
<a href="#totp" class="md-nav__link">
TOTP
</a>
</li>
</ul>
</nav>
</div>
</div>
</div>
<div class="md-content" data-md-component="content">
<article class="md-content__inner md-typeset">
<a href="https://github.com/mailcow/mailcow-dockerized-docs/edit/master/docs/manual-guides/mailcow-UI/u_e-mailcow_ui-tfa.en.md" title="Edit this page" class="md-content__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20.71 7.04c.39-.39.39-1.04 0-1.41l-2.34-2.34c-.37-.39-1.02-.39-1.41 0l-1.84 1.83 3.75 3.75M3 17.25V21h3.75L17.81 9.93l-3.75-3.75L3 17.25Z"/></svg>
</a>
<h1>Two-Factor Authentication</h1>
<p>So far three methods for <em>Two-Factor Authentication</em> are implemented: WebAuthn (replacing U2F since February 2022), Yubi OTP, and TOTP</p>
<ul>
<li>For WebAuthn to work, you need an encrypted connection to the server (HTTPS) as well as a FIDO security key.</li>
<li>Both WebAuthn and Yubi OTP work well with the fantastic <a href="https://www.yubico.com">Yubikey</a>.</li>
<li>While Yubi OTP needs an active internet connection and an API ID + key, WebAuthn will work with any Fido Security Key out of the box, but can only be used when mailcow is accessed over HTTPS.</li>
<li>WebAuthn and Yubi OTP support multiple keys per user.</li>
<li>As the third TFA method mailcow uses TOTP: time-based one-time passwords. Those passwords can be generated with apps like "Google Authenticator" after initially scanning a QR code or entering the given secret manually.</li>
</ul>
<p>As administrator you are able to temporary disable a domain administrators TFA login until they successfully logged in.</p>
<p>The key used to login will be displayed in green, while other keys remain grey.</p>
<p>Information on how to remove 2FA can be found <a href="../../../troubleshooting/debug-reset_pw/#remove-two-factor-authentication">here</a>.</p>
<h2 id="yubi-otp">Yubi OTP<a class="headerlink" href="#yubi-otp" title="Permanent link">&para;</a></h2>
<p>The Yubi API ID and Key will be checked against the Yubico Cloud API. When setting up TFA you will be asked for your personal API account for this key.
The API ID, API key and the first 12 characters (your YubiKeys ID in modhex) are stored in the MySQL table as secret.</p>
<h3 id="example-setup">Example setup<a class="headerlink" href="#example-setup" title="Permanent link">&para;</a></h3>
<p>First of all, the YubiKey must be configured for use as an OTP Generator. To do this, download the <code>YubiKey Manager</code> from the Yubico website: <a href="https://www.yubico.com/support/download/">here</a></p>
<p>In the following you configure the YubiKey for OTP.
Via the menu item <code>Applications</code> -&gt; <code>OTP</code> and a click on the <code>Configure</code> button. In the following menu select <code>Credential Type</code> -&gt; <code>Yubico OTP</code> and click on <code>Next</code>.</p>
<p>Set a checkmark in the <code>Use serial</code> checkbox, generate a <code>Private ID</code> and a <code>Secret key</code> via the buttons.
So that the YubiKey can be validated later, the checkmark in the <code>Upload</code> checkbox must also be set and then click on <code>Finish</code>.</p>
<p>Now a new browser window will open in which you have to enter an OTP of your YubiKey at the bottom of the form (click on the field and then tap on your YubiKey). Confirm the captcha and upload the information to the Yubico server by clicking 'Upload'. The processing of the data will take a moment.</p>
<p>After the generation was successful, you will be shown a <code>Client ID</code> and a <code>Secret key</code>, make a note of this information in a safe place.</p>
<p>Now you can select <code>Yubico OTP authentication</code> from the dropdown menu in the mailcow UI on the start page under <code>Access</code> -&gt; <code>Two-factor authentication</code>.
In the dialog that opened now you can enter a name for this YubiKey and insert the <code>Client ID</code> you noted before as well as the <code>Secret key</code> into the fields provided.
Finally, enter your current account password and, after selecting the <code>Touch Yubikey</code> field, touch your YubiKey button.</p>
<p>Congratulations! You can now log in to the mailcow UI using your YubiKey!</p>
<hr />
<h2 id="webauthn-u2f-replacement">WebAuthn (U2F, replacement)<a class="headerlink" href="#webauthn-u2f-replacement" title="Permanent link">&para;</a></h2>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p><strong>Since February 2022 Google Chrome has discarded support for U2F and standardized the use of WebAuthn.<br></strong>
<em>The WebAuthn (U2F removal) is part of mailcow since 21th January 2022, so if you want to use the Key past February 2022 please consider a update with the <code>update.sh</code></em> </p>
</div>
<p>To use WebAuthn, the browser must support this standard.</p>
<p>The following desktop browsers support this authentication type:</p>
<ul>
<li>Edge (&gt;=18)</li>
<li>Firefox (&gt;=60)</li>
<li>Chrome (&gt;=67)</li>
<li>Safari (&gt;=13)</li>
<li>Opera (&gt;=54)</li>
</ul>
<p>The following mobile browsers support this authentication type:</p>
<ul>
<li>Safari on iOS (&gt;=14.5)</li>
<li>Android Browser (&gt;=97)</li>
<li>Opera Mobile (&gt;=64)</li>
<li>Chrome for Android (&gt;=97)</li>
</ul>
<p>Sources: <a href="https://caniuse.com/webauthn">caniuse.com</a>, <a href="https://blog.mozilla.org/security/2019/04/04/shipping-fido-u2f-api-support-in-firefox/">blog.mozilla.org</a></p>
<p>WebAuthn works without an internet connection.</p>
<h3 id="what-will-happen-to-my-registered-fido-security-key-after-the-update-from-u2f-to-webauthn">What will happen to my registered Fido Security Key after the Update from U2F to WebAuthn?<a class="headerlink" href="#what-will-happen-to-my-registered-fido-security-key-after-the-update-from-u2f-to-webauthn" title="Permanent link">&para;</a></h3>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>With this new U2F replacement (WebAuthn) you have to re-register your Fido Security Key, thankfully WebAuthn is backwards compatible and supports the U2F protocol.</p>
</div>
<p>Ideally, the next time you log in (with the key), you should get a text box saying that your Fido Security Key has been removed due to the update to WebAuthn and deleted as a 2-factor authenticator.</p>
<p>But don't worry! You can simply re-register your existing key and use it as usual, you probably won't even notice a difference, except that your browser won't show the U2F deactivation message anymore.</p>
<h3 id="disable-unofficial-supported-fido-security-keys">Disable unofficial supported Fido Security Keys<a class="headerlink" href="#disable-unofficial-supported-fido-security-keys" title="Permanent link">&para;</a></h3>
<p>With WebAuthn there is the possibility to use only official Fido Security Keys (from the big brands like: Yubico, Apple, Nitro, Google, Huawei, Microsoft, etc.).</p>
<p>This is primarily for security purposes, as it allows administrators to ensure that only official hardware can be used in their environment.</p>
<p>To enable this feature, change the value <code>WEBAUTHN_ONLY_TRUSTED_VENDORS</code> in mailcow.conf from <code>n</code> to <code>y</code> and restart the affected containers with <code>docker compose up -d</code>.</p>
<p>The mailcow will now use the Vendor Certificates located in your mailcow directory under <code>data/web/inc/lib/WebAuthn/rootCertificates</code>. </p>
<h5 id="example">Example:<a class="headerlink" href="#example" title="Permanent link">&para;</a></h5>
<p>If you want to limit the official Vendor devices to Apple only you only need the Apple Vendor Certificate inside the <code>data/web/inc/lib/WebAuthn/rootCertificates</code>.
After you deleted all other certs you now only can activate WebAuthn 2FA with Apple devices.</p>
<p>That´s for every vendor the same, so choose what you like (if you want to).</p>
<h4 id="use-own-certificates-for-webauthn">Use own certificates for WebAuthn<a class="headerlink" href="#use-own-certificates-for-webauthn" title="Permanent link">&para;</a></h4>
<p>If you have a valid certificate from the vendor of your key you can also add it to your mailcow!</p>
<p>Just copy the certificate into the <code>data/web/inc/lib/WebAuthn/rootCertificates</code> folder and restart your mailcow.</p>
<p>Now you should be able to register this device as well, even though the verification for the vendor certificates is enabled, since you just added the certificate manually. </p>
<h4 id="is-it-dangerous-to-keep-the-vendor-check-disabled">Is it dangerous to keep the Vendor Check disabled?<a class="headerlink" href="#is-it-dangerous-to-keep-the-vendor-check-disabled" title="Permanent link">&para;</a></h4>
<p>No, it isn´t!
These vendor certificates are only used to verify original hardware, not to secure the registration process.</p>
<p>As you can read in these articles, the deactivation is not software security related:
- <a href="https://developers.yubico.com/U2F/Attestation_and_Metadata/">https://developers.yubico.com/U2F/Attestation_and_Metadata/</a>
- <a href="https://medium.com/webauthnworks/webauthn-fido2-demystifying-attestation-and-mds-efc3b3cb3651">https://medium.com/webauthnworks/webauthn-fido2-demystifying-attestation-and-mds-efc3b3cb3651</a>
- <a href="https://medium.com/webauthnworks/sorting-fido-ctap-webauthn-terminology-7d32067c0b01">https://medium.com/webauthnworks/sorting-fido-ctap-webauthn-terminology-7d32067c0b01</a></p>
<p>In the end, however, it is of course your decision to leave this check disabled or enabled. </p>
<hr />
<h2 id="totp">TOTP<a class="headerlink" href="#totp" title="Permanent link">&para;</a></h2>
<p>The best known TFA method mostly used with a smartphone.</p>
<p>To setup the TOTP method login to the Admin UI and select <code>Time-based OTP (TOTP)</code> from the list.</p>
<p>Now a modal will open in which you have to type in a name for your 2FA "device" (example: John Deer´s Smartphone) and the password of the affected Admin account (you are currently logged in with).</p>
<p>You have two seperate methods to register TOTP to your account:
1. Scan the QR-Code with your Authenticator App on a Smartphone or Tablet.
2. Use the TOTP Code (under the QR Code) in your TOTP Program or App (if you can´t scan a QR Code).</p>
<p>After you have registered the QR or TOTP code in the TOTP app/program of your choice you only need to enter the now generated TOTP token (in the app/program) as confirmation in the mailcow UI to finally activate the TOTP 2FA, otherwise it will not be activated even though the TOTP token is already generated in your app/program.</p>
<hr>
<div class="md-source-file">
<small>
Last update:
<span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-iso_datetime">2022-06-02 14:32:36</span>
</small>
</div>
</article>
</div>
</div>
<a href="#" class="md-top md-icon" data-md-component="top" hidden>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8v12Z"/></svg>
Back to top
</a>
</main>
<footer class="md-footer">
<nav class="md-footer__inner md-grid" aria-label="Footer" >
<a href="../u_e-mailcow_ui-spamalias/" class="md-footer__link md-footer__link--prev" aria-label="Previous: Temporary email aliases" rel="prev">
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12Z"/></svg>
</div>
<div class="md-footer__title">
<div class="md-ellipsis">
<span class="md-footer__direction">
Previous
</span>
Temporary email aliases
</div>
</div>
</a>
<a href="../u_e-mailcow_ui-fido/" class="md-footer__link md-footer__link--next" aria-label="Next: WebAuthn / FIDO2" rel="next">
<div class="md-footer__title">
<div class="md-ellipsis">
<span class="md-footer__direction">
Next
</span>
WebAuthn / FIDO2
</div>
</div>
<div class="md-footer__button md-icon">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4Z"/></svg>
</div>
</a>
</nav>
<div class="md-footer-meta md-typeset">
<div class="md-footer-meta__inner md-grid">
<div class="md-copyright">
<div class="md-copyright__highlight">
Copyright &copy; 2022 Servercow Team & Community
</div>
Made with
<a href="https://squidfunk.github.io/mkdocs-material/" target="_blank" rel="noopener">
Material for MkDocs
</a>
</div>
<div class="md-social">
<a href="https://mailcow.email" target="_blank" rel="noopener" title="mailcow.email" class="md-social__link">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><!--! Font Awesome Free 6.1.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2022 Fonticons, Inc.--><path d="M512 256c0 141.4-114.6 256-256 256S0 397.4 0 256 114.6 0 256 0s256 114.6 256 256zM57.71 192.1l9.36 17.3a64.042 64.042 0 0 0 38.03 29.8l57 16.5c18.1 4.9 29.9 20.6 29.9 38.5v39.9c0 11 6.2 21 16 25 9.8 5.8 16 15.8 16 26.8v39c0 15.6 14.9 26.8 29.9 22.5 16.2-4.6 28.6-18.3 32.7-33.7l2.8-11.2c4.2-16.9 15.2-31.4 30.3-40.1l8.1-4.6c15-8.5 24.2-24.4 24.2-41.7v-8.2c0-12.8-5.1-25-14.1-34l-3.8-3.8c-9-9-21.3-15-34-15h-44c-10.2 0-21.2-2-30.9-7.5l-34.5-19.8c-4.3-2.4-7.6-6.4-9.1-11.1-3.2-9.6 1.1-20 10.1-24.6l6-2.9c6.6-3.3 14.2-3.9 20.4-1.5l24.1 7.7c8.1 2.7 17.1-.4 21.9-7.5 4.7-7.1 4.2-16.4-1.2-22.9l-13.6-16.2c-10-12-9.9-29.5.3-41.3l15.7-18.38c8.8-10.27 10.2-24.96 3.5-36.7l-2.4-4.16c-4.3-.17-6.9-.26-10.4-.26-92.9 0-171.6 60.9-198.29 144.1zm379.89-37.6L412 164.8c-15.7 6.3-23.8 23.7-18.5 39.8l16.9 50.7c3.5 10.4 12 18.3 22.6 21l29.2 7.2c1.2-9 1.8-18.2 1.8-27.5 0-36.8-9.6-71.4-26.4-101.5z"/></svg>
</a>
<a href="https://github.com/mailcow" target="_blank" rel="noopener" title="github.com" class="md-social__link">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 480 512"><!--! Font Awesome Free 6.1.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2022 Fonticons, Inc.--><path d="M186.1 328.7c0 20.9-10.9 55.1-36.7 55.1s-36.7-34.2-36.7-55.1 10.9-55.1 36.7-55.1 36.7 34.2 36.7 55.1zM480 278.2c0 31.9-3.2 65.7-17.5 95-37.9 76.6-142.1 74.8-216.7 74.8-75.8 0-186.2 2.7-225.6-74.8-14.6-29-20.2-63.1-20.2-95 0-41.9 13.9-81.5 41.5-113.6-5.2-15.8-7.7-32.4-7.7-48.8 0-21.5 4.9-32.3 14.6-51.8 45.3 0 74.3 9 108.8 36 29-6.9 58.8-10 88.7-10 27 0 54.2 2.9 80.4 9.2 34-26.7 63-35.2 107.8-35.2 9.8 19.5 14.6 30.3 14.6 51.8 0 16.4-2.6 32.7-7.7 48.2 27.5 32.4 39 72.3 39 114.2zm-64.3 50.5c0-43.9-26.7-82.6-73.5-82.6-18.9 0-37 3.4-56 6-14.9 2.3-29.8 3.2-45.1 3.2-15.2 0-30.1-.9-45.1-3.2-18.7-2.6-37-6-56-6-46.8 0-73.5 38.7-73.5 82.6 0 87.8 80.4 101.3 150.4 101.3h48.2c70.3 0 150.6-13.4 150.6-101.3zm-82.6-55.1c-25.8 0-36.7 34.2-36.7 55.1s10.9 55.1 36.7 55.1 36.7-34.2 36.7-55.1-10.9-55.1-36.7-55.1z"/></svg>
</a>
<a href="https://twitter.com/mailcow_email" target="_blank" rel="noopener" title="twitter.com" class="md-social__link">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 512 512"><!--! Font Awesome Free 6.1.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2022 Fonticons, Inc.--><path d="M459.37 151.716c.325 4.548.325 9.097.325 13.645 0 138.72-105.583 298.558-298.558 298.558-59.452 0-114.68-17.219-161.137-47.106 8.447.974 16.568 1.299 25.34 1.299 49.055 0 94.213-16.568 130.274-44.832-46.132-.975-84.792-31.188-98.112-72.772 6.498.974 12.995 1.624 19.818 1.624 9.421 0 18.843-1.3 27.614-3.573-48.081-9.747-84.143-51.98-84.143-102.985v-1.299c13.969 7.797 30.214 12.67 47.431 13.319-28.264-18.843-46.781-51.005-46.781-87.391 0-19.492 5.197-37.36 14.294-52.954 51.655 63.675 129.3 105.258 216.365 109.807-1.624-7.797-2.599-15.918-2.599-24.04 0-57.828 46.782-104.934 104.934-104.934 30.213 0 57.502 12.67 76.67 33.137 23.715-4.548 46.456-13.32 66.599-25.34-7.798 24.366-24.366 44.833-46.132 57.827 21.117-2.273 41.584-8.122 60.426-16.243-14.292 20.791-32.161 39.308-52.628 54.253z"/></svg>
</a>
</div>
</div>
</div>
</footer>
</div>
<div class="md-dialog" data-md-component="dialog">
<div class="md-dialog__inner md-typeset"></div>
</div>
<script id="__config" type="application/json">{"base": "../../../..", "features": ["navigation.top", "navigation.tracking"], "search": "../../../../assets/javascripts/workers/search.85cb4492.min.js", "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.config.lang": "en", "search.config.pipeline": "trimmer, stopWordFilter", "search.config.separator": "[\\s\\-]+", "search.placeholder": "Search", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version.title": "Select version"}}</script>
<script src="../../../../assets/javascripts/bundle.a877e258.min.js"></script>
<script src="../../../../assets/javascripts/client.js"></script>
</body>
</html>