Do not ask for 2FA if connection comes from specific network

[7224jobe]

Hi, I searched around in 2FA settings on Zimbra Admin page and Admin guide, but I did not found an option that allows to disable request for 2FA authentication if the connection comes from a specific / trusted network (e.g. users connecting from internal LAN or headquarters public IPs). Is there a way to achieve this on Zimbra Network 10.1 ? Or this option is just missing?
Thanks!

[adrian.gibanel.btactic]

The option is missing and it's rather difficult to be implemented by third party 2FA implementations because IP is not exposed to the 2FA extension when the login is done.

The most similar option you have is Trusted devices.

[L. Mark Stone]

From a security standpoint, if 2FA is meant to confirm the user attempting to sign in is indeed the user whose credentials are being offered, does it matter where the login attempt is taking place?

Unless all of the devices in a network require, like SmartCard access, 2FA is still a good idea. Even then, what's to stop a bad actor from using their own device on a network deemed trusted sufficiently to eliminate the need for 2FA for logins emanating from that network?

Good security is cultural as well as technical, and Zimbra's 2FA is missing many features which these days are standard (think no 2FA for ActiveSync, no QR code setup, no FIDO2 key support, etc.), so I can appreciate that implementing Zimbra 2FA from a "trusted" network might seem to be less critical than requiring 2FA from a remote network.

IMHO, it's still an added risk, and many data breaches/exfiltrations have been performed by disgruntled employees, trusted vendors, etc. -- all of whom you might expect would have access to the trusted network.

But to be fair, different organizations have different risk profiles, so different decisions in different places is totally acceptable and proper.