Two-factor authentication for OWA and Exchange Admin Center in 15 minutes

We've created an installer that helps to set up OWA two-factor authentication (Exchange 2013, 2016, 2019) and Exchange Admin Center (EAC) in just a few minutes

Exchange Server 2013, 2016, 2019

The Protectimus OWA protection solution allows you to set up two-factor authentication for connection to enterprise email servers running Microsoft Exchange 2016, 2019 and 2013 through the Outlook Web App client (formerly Microsoft Outlook Web Access). We also have a 2FA solution for Exchange 2010, it integrates directly into Active Directory.

Easy integration

You can deploy Outlook Web Access two-factor authentication in under 15 minutes. To begin setting up MFA for Microsoft Outlook Web App login page, register with the Protectimus service; create a resource, tokens, and users; and download and run the installer. Then, download and follow the setup instructions.

Direct protection for Exchange

You can also use the Protectimus DSPA component for protecting access to Outlook Exchange Server. It integrates directly into Active Directory. It changes users' passwords every few minutes: one part of the password remains unchanged, while the other is a TOTP password. In this case, you don't need to install the Protectimus OWA component.

2FA for Exchange Admin Center (EAC)

2FA for Exchange Admin Center

The updated Protectimus OWA 2FA component protects not only Outlook Web App users' accounts with two-factor authentication. It also adds MFA to the Exchange Admin Center (EAC). Protecting the Exchange Admin Center admins' accounts with 2FA is a top priority. Otherwise, the organization's data is at risk.

Group Policies Configuration

Group Policies Configuration

When installing the Protectimus OWA 2FA component for multi-factor authentication in Outlook Web App and Exchange Admin Center, you can configure group policies - select only one Active Directory group for which two-factor authentication will be activated. Or you may activate 2FA for all users at once.

Support for OCRA 2FA algorithm

Supports OCRA Algorithm

The Protectimus OWA 2FA solution supports all OATH authentication algorithms - HOTP, TOTP, and OCRA (OATH Challenge-Response Algorithm, RFC 6287). When generating OTP codes using the OCRA algorithm, the variable is a challenge received from the auth server. OCRA is the most secure OATH 2FA algorithm for today.

OWA 2-Factor Authentication:
Two Options

We offer two solutions for protecting access to Microsoft Exchange Outlook Web Access and Exchange Admin Center with multi-factor authentication:

1. Set up two-factor authentication for Outlook Web App (OWA) or Exchange Admin Center (EAC) using the Protectimus OWA 2FA component.

For hassle-free integration, download the installer and setup instructions below.

The Protectimus OWA 2FA solution allows you to:

- configure two-factor authenticationfor Outlook Web App and Exchange Admin Center exclusevely, multi-factor authentication will not be activated for any other services connected to Active Directory;
- use either Protectimus Cloud Multi-Factor Authentication Service or Protectimus Local MFA Platform;
- configure group policies during installation - activate two-factor authentication only for the selected Active Directory group;
- set the frequency with which users will enter one-time passwords to continue working with OWA, for example, every 12 hours;
- use any 2FA tokens for OWA and EAC two-factor authentication - HOTP, TOTP, or OCRA OTP tokens.

2. Set up two-factor authentication directly in Active Directory using the Protectimus DSPA (Dynamic Strong Password Authentication) component. After deploying the Protectimus DSPA component in your infrastructure, users' passwords in AD will consist of two parts: a static part (the user's standard password) and a dynamic part (a temporary password generated using the TOTP algorithm; the password change interval can be set by the administrator). A sample password of this type might look like "Password123456", where "Password" is the static part, and "123456" is the dynamic part. A strategy like this enables you to deploy two-factor authentication for all systems connected to Active Directory at once, including Outlook Web.

To use the Protectimus OWA component for multi factor authentication in OWA Webmail login, all you need to do is select a payment plan in our SaaS service. If you need it, the server component is also available as an on-premise platform. Additionally, with Protectimus OWA, your Web Outlook users will be able to use any one-time password delivery method, from email and SMS to hardware tokens.

If you choose the Protectimus DSPA component, you'll also need to purchase the Protectimus on-premise platform (for which prices start at $199 per month). The range of compatible tokens is more limited: for Microsoft multi-factor authentication via Protectimus DSPA you can choose the Protectimus Smart app, messaging service chatbots, or special hardware TOTP tokens produced only upon request.

Advanced features

Not only do we deliver and verify one-time passwords, but we also want to make the process of protecting Outlook OWA and Microsoft Outlook Exchange login with two-factor authentication as convenient for administrators as it is for users

User self-service

Administrators don't need to waste time assigning and issuing tokens to each OWA email user individually. They can activate the self-service feature, available by default to all Protectimus customers, giving their users the ability to create and manage tokens for Outlook two-factor authentication themselves.

Time-based filters

Time-based filters allow you to configure OWA multi-factor authentication so that users can only log in to their accounts at certain times of day, such as during business hours. This precludes the possibility of accounts being compromised outside business hours, greatly increasing the security level of your infrastructure.

Analytics and event notifications

We provide detailed reports about the operation of the Protectimus Outlook Web App two-factor authentication service: the number of successful and failed authentications, financial information, and much more. Administrators can also receive notifications for each important system event by email or phone.

Cloud service or on-premise platform

Protectimus is one of the few OWA two-factor authentication providers offering a choice of two cooperation models: SAAS or on-premise platform. But as our cloud service is already set up, ready to use, and available 24/7, we recommend you to start testing our OWA multi-factor auth service by registering at service.protectimus.com

Cloud service

The SaaS model is convenient. This is especially true when you don't have a large number of users (less than 99) to protect with OWA two factor auth. You don't need to think about purchasing and supporting new equipment on which to install the Protectimus two-factor authentication server, nor deploying a failover cluster or securing more infrastructure. We've taken care of all that for you. A powerful server cluster and load balancer work to ensure the stability of the Protectimus cloud service, distributing the load equally among all servers. We constantly monitor the state of our infrastructure and receive notifications for even the slightest deviation from the norm. All sensitive information is encrypted using a Hardware Security Module. Register for the Protectimus cloud service (service.protectimus.com) and start using Outlook Web App 2-factor authentication the very same day.

Local server

Often, corporate policies, legal regulations, or the requirements of particular operations require the installation of a two-factor authentication server on the client's premises. The Protectimus on-premise platform for Outlook Web App 2-step verification is ideal for these cases. Installing the Protectimus server on your own premises gives you full control over all data and processes, though it also comes with the burden of protecting the system from external threats and ensuring fault tolerance. There is no difference between the features of the cloud-based service and the local Protectimus platform for Outlook 2-factor authentication. User self-service, geographic and time-based filters, and event monitoring are all available in the on-premise version. What's more, since the authentication server is installed within your enterprise network, you can set up two-factor authentication for Outlook Web App as an offline service.

OTP tokens for Microsoft OWA

You can choose any of these OTP tokens for 2-factor authentication in Microsoft Outlook Web App: SMS; email; the free Protectimus Smart app; OTP delivery via Telegram, Viber, or Facebook Messenger; both traditional and reprogrammable hardware tokens

Email

One-time passwords delivered to users' inboxes for free, just don't send OTPs to OWA webmail, use any other email client

SMS

One-time codes delivered to OWA users via SMS; if you use the on-premise platform, you can connect any SMS provider

Smart

Protectimus Smart is a free 2FA app available for iOS and Android, users can additionally protect their apps with a PIN code

Two

Traditional, classic hardware tokens for OWA login protection with hard-coded secret keys, shaped like the key fobs

Slim

Using an Android smartphone with NFC, you can program a secret key into the Protectimus Slim NFC hardware token

Messengers

One-time passwords delivered to OWA app users via chatbots on Telegram, Viber, and Facebook, free and secure

How to set up OWA two-factor authentication with Protectimus

Set up two-factor for OWA in just a few minutes

Registering with the Service

Register with the cloud-based Protectimus multi-factor authentication service

Choose a payment plan

Navigate to the Service plans and activate the plan that meets your needs. To start testing the two-factor authentication solution for OWA, you can just activate the Free plan for now.

Create a resource

Resources are used to logically group users and tokens. Navigate to the Resources section. Then, click Add Resource and create a resource.

Add users and tokens

Navigate to the UsersUsers tab and add users. In the TokensTokens tab, create tokens. Assign the tokens to the corresponding users, and assign the Users with the Tokens to the Resource.

Install Protectimus OWA

Download the installer and setup instructions using the button below. Run the Protectimus OWA installer and follow the instructions.