We have the requirement that we must secure the Domino internet services with MFA. There are several options to achieve this:
X.509 Certificates (Client certificates)
TOTP (Time-based One-time Password)
OIDC (OpenID Connect)
SAML (Security Assertion Markup Language)
…?
Our environment:
Domino 12.0.2 cluster
(Notes: MFA by means of the id file)
iNotes / Verse
Traveler: Verse Mobile, iOS Mail, HTMO
IMAP+SMTP
LDAP
In Domino 12 client certificates are not a real MFA solution because the option is to use passwords or certificates but not both.
While TOTP only covers iNotes/Verse and Verse Mobile, OIDC only covers iNotes/Verse, IMAP and LDAP. SAML seems to be the most complex option to implement.
Is it possible in Domino 14.5 to require both client certificate AND password?
What would be the “simplest” option for Domino 12 or even for Domino 14.5?
In response to your questions about the “Client Certificate AND Password” setup and the simplest deployment options:
Is your end goal actually to use Passkeys? I ask because that specific combination usually points toward that requirement.
Passkey authentication was introduced in Domino 14.0. It is supported on Windows and Linux 64-bit servers, but please be aware it is not supported on iOS 10 or below.
Thank you for mentioning passkeys authentication. Our goal is to use one authentication option that covers as much applications as possible. Client certificates seem to meet this requirement.
Hence my question: Is it possible to require both client certificate AND internet password as authentication factors in Domino 14.5 ?
No this is not possible, if you’re asking this in native behavior (or the normal ssl authentication).SSL Authentication:
Name & password: Yes/No
Client certificate: Yes/No
If you set both to Yes this two behaviour may happen.
Scenario A. The user’s browser sends a Client Certificate. Domino validates it, maps it to a user , and logs them in immediately. No password is asked**.**
Scenario B. The user does not send a certificate (or sends an invalid one). Domino falls back to Basic Auth or Form-based Auth and asks for a Username and Password.
Domino native logic assumes that if you possess the certificate, you are the user. It does not natively chain them together as a two-step requirement for a single session.
I still recommed the passkey as this might be the nearest possible replacement for cert+password.
If I understand correctly, authentication with passkeys would be the simplest method to implement. All we need is to:
1.) Upgrade to Domino 14
2.) Create passkey.nsf
3.) Enable passkey authentication in the Internet Site document
4.) Create a new “Sign In” Form Mapping with the Target Form set to “$$LoginUserFormPasskey”.
Is passkey authentication also supported by IMAP and LDAP on Domino?
Verse and Traveler are running on the same server and have the same Internet Site document (one ip address). How can Traveler be exempted from using passkeys authentication?
*Is passkey authentication also supported by IMAP and LDAP on Domino?
The answer is No. Passkeys (WebAuthn) rely on a challenge-response mechanism that requires a modern web browser (JavaScript/HTML5). Legacy protocols like IMAP, POP3, and LDAP do not support this interaction.
When you enable Passkeys for HTTP, your IMAP and LDAP ports will continue to effectively use Basic Authentication (Username & Internet Password)
Your web users (Verse/iNotes) will be secured by MFA (Passkeys), but if you leave IMAP open to the internet, attackers could still try to brute-force the “Internet Password” on port 143/993.
*Verse and Traveler are running on the same server and have the same Internet Site document (one ip address). How can Traveler be exempted from using passkeys authentication?
Since HCL Verse and HCL Traveler share the same Internet Site (and thus the same Session Authentication settings), enabling the Passkey login form for the whole site could break the Traveler mobile clients (which expect a standard password login or Basic Auth).
You can exempt Traveler by creating an override rule:
Configure the Rule:
Description: Enter a description (e.g., “Traveler Override”).
Type of rule: Select Override session authentication from the dropdown menu.
It has been decided to go for the certificates for the moment because they can be implemented immediately. We want to exempt the Traveler applications from using certificates (and instead use the mobile device management capabilities of Traveler).
Despite there is a Rule in the Internet Site document for http that overrides session authentication, when I enable “Client certificate: Yes” then the Verse mobile app do require a certificate! The rule has been created many years ago by the Traveler installer. It looks exactly the same as the rule you provided and works properly as basic authentication is used for the Traveler homepage (and form-based authentication for iNotes and Verse).
Is there a way to have different “Web Site” type Internet Site Documents for iNotes/Verse and for Traveler? For example using a “default site” web site and a specific web site?
Additionaly, is there a way to protect SMTP with certificates?
How many users is your Domino/Verse/Traveler serving?
as pero your inquiry, I believe you’re running Traveler on top of your main mailbox Domino server.
Let’s hear other experts opinion, but you might consider running Traveler on a different Domino server, I mean, in other than your actual mailbox server.
No, no way! We use Traveler and iNotes/Verse on the same Domino servers under Linux since the first release of Traveler for Linux. And it works without any problem!