Kindly implement 2 Factor Authentication for Mail service, and also apply it to POP3/IMAP/SMTP etc.

Please do not just implement 2FA for the WebMail service. It should also apply to IMAP/POP3/SMTP as well as ActiveSync. You should implement "App Passwords" for IMAP etc. similar to google and zimbra :

https://support.google.com/accounts/answer/185833?hl=en
https://wiki.zimbra.com/wiki/Zimbra_Two-factor_authentication

by news I mean - when should we expect this feature?

Hi. Any news on the TOTP and the Google Authenticator 2fA? This will be the best solution for us.
As for enforsing - I think that asking the 2fa every time will be too much, but should work like gmail - every new device should trigger 2fa for access to the webmail. And changing the password should also ask for the second factor.

Hi,

We plan to support 2 factor authentication (2FA) using a standard TOTP and the Google Authenticator mobile app for Android / iOS. This solution is currently still in research, but it's the most likely scenario.

A couple more details:
* In the initial implementation, it will be available for the WebMail service (WebMail, Standard WebMail, Mobile WebMail)
* The admin will be able to: 1. not use 2FA at all; 2. enable 2FA and let the users choose whether they want to activate it or not on their account; 3. enable and enfoce 2FA (most likely by account class)
* The activation will be done by the user by scanning a QR code with their phone, which will pair their account with their mobile device.

At this point, this is how we're looking at 2FA. Regarding third parties using it, this will not be included, at least in the initial version.

Hello,

the support for two-factor auth will be a framework based or with totally seperate modules? Or will you provide an API where the various solutions will be able to connect and say "yes" or "no" to the authentication frontend? Do you plan to support U2F based auth and/or Yubico OtP/OATH/etc?

Regards, Agoston

This would be really nice to have as well. I wish I had more votes. I would see this being used to secure both WebMail and WedAdmin. You have a few options in this regard.

1) You could do it with SMS and use a service like Twilio. I guess in the WebAdmin area you could ask users to enter their API key so it doesn't cost you anything.

2) You could implement something like Authy or DuoSecurity. (https://www.authy.com/ || https://www.duosecurity.com/) That would take the engineering side out of the equation and allow you to get up and running with 2FA quickly. However, perhaps with some cost to you or your customers.

It's my opinion this would be of major use to your customers and their clients. 2FA provides that extra layer of security. You can't really control what your users set their password too...sure you have policies to ensure they must change passwords often....but 2FA takes a little worry off me and my group.

This is pretty neat site that shows what large services have 2FA and/or don't have it.
https://twofactorauth.org/

Hope this helps!

~Jacob

You can integrate webmail access with username/password + One-Time Password for example.
Other email and web server are integrating this feature because one single authentication does not provide enough security level. You could add this and allow admins to force the use of one time password for an entire domain or a single user. Also you could allow user to choose if enable or not one time password.
There are many one time password that you can integrate with available for Android and iPhone.