The Email Gateway Defense (EGD) team has implemented a temporary passcode authentication method to allow users to access their shared mailbox and distribution list accounts. On April 25, 2023, this solution will be released to customers. Please see below for a step-by-step guide on how to enable and sign into EGD using temporary passcodes.  

Note: This sign-in method is optional. If you choose not to enable temporary passcode authentication for users, your sign-in flow will be unchanged.  

HOW IT WORKS   

Here’s a quick overview of how users can sign into EGD with temporary passcodes: 

• The administrator of an account will enable temporary passcode authentication on an account or domain level (or both). See Enabling Temporary Passcodes section below. This feature will create the below sign-in scenarios: 

  • If both SSO and temporary passcodes are enabled, users can choose to continue with normal SSO login or request a temporary passcode. 

  • If SSO is enabled but temporary passcodes are disabled, users will sign in through SSO as usual and will not be given the option to request a temporary passcode.  

  • If SSO is disabled but temporary passcodes are enabled, users will have the option to log in with their EGD credentials or request a temporary passcode. 

  • If both SSO and temporary passcodes are disabled, users will have to sign in with their EGD email and password credentials. 

• User clicks on a link in quarantine digest email and is prompted to log into EGD at https://ess.barracudanetworks.com/. 

• Instead of logging in with account password credentials, the user is given an option to request a temporary passcode. See Signing In with Temporary Passcodes section below for a step-by-step guide. 

• User requests the temporary passcode and an email containing the passcode is sent to the shared inbox. The passcode is valid for 15 minutes. The user copies and pastes the passcode into the sign-in field on their open browser window.   

• The user is then authenticated into EGD and can manage their quarantined mail, view their message log, and utilize the actions (Deliver, Allow List, Block List) from the digest email as expected. User is also authenticated for their entire 24-hour browser session. 

• Here’s a demo video describing the process: https://share.vidyard.com/watch/G1GvuwKtM6nE6iG3kt5zMf

ENABLING TEMPORARY PASSCODES (ADMIN SETTING)   

Upon release, the temporary passcode authentication process will be set to disabled by default. To enable temporary passcode authentication for your users, the administrator of the account must follow the below steps: 

• Account administrator signs into EGD  

• Click on Users tab  

• Click on Quarantine Notification tab 

• See new feature Allow users to sign in with temporary passcode (set to No by default) 

• To enable, select Yes for this feature  

• Click the Save Changes button on top right-hand side of the page  

• Temporary passcodes authentication is now an option for all users in this account 

  • Note: If you’d like to enable for only a specific domain, sign in as domain administrator and follow the same steps above  

SIGNING IN WITH TEMPORARY PASSCODES 

Once the admin setting is enabled, the users of a shared mailbox or distribution list will see a new option when they attempt to sign into the shared email address. See below for a step-by-step guide to authenticating with a temporary passcode:  

• User clicks on a link or button in their quarantine digest email (Manage Quarantine, View Message Log, Deliver, Allow List, Block List) or goes to directly to EGD site: https://ess.barracudanetworks.com/ 

• User is prompted to sign into EGD 

• User enters shared inbox or distribution list email address in Email Address field and clicks the Next button 

• If account is SSO enabled, user will see an intermediary page to allow them to choose between continuing with SSO login (not for shared email addresses) or shown the option to request a temporary passcode 

• If account does not have SSO enabled, user will be prompted to enter their password or shown the option to request a temporary passcode 

• User clicks on email a temporary passcode to send the passcode to the shared mailbox (Note: Passcode is valid for 15 minutes) 

• User receives an email to the shared inbox where they can copy the passcode and paste into Temporary passcode field (Note: Passcodes are case sensitive) and clicks Log in 

  • Note: Users can also request a new passcode by clicking resend temporary passcode 

• The user will then be signed into their Message Log and can manage their quarantine email 

• Now that the user has signed in with a temporary passcode, they are authenticated for the entire length of their browser session (24 hours) 

  • The user can now use the Deliver, Allow List, Block List buttons on the quarantine digest email as expected  

• If you have any questions on the above process, please contact Barracuda Networks Technical Support https://www.barracuda.com/support. 

Frequently Asked Questions (FAQs):  

What if someone else in the shared mailbox also requests a temporary passcode?   

If 2 users request a temporary passcode around the same time, 2 separate emails with different passcodes will be sent to the shared inbox. Both passcodes will be active for 15 minutes after they are requested, and either user can use either passcode within these 15 minutes. One passcode does not invalidate another. A passcode only becomes invalid after its 15-minute lifespan runs out.  

Only 5 passcodes are active at one time for each account. If users have requested 5 passcodes within the same 15 minutes, no more passcodes can be requested. Any of the 5 active passcodes can be used to authenticate. Once 1 of the 5 passcodes expires, another temporary passcode can be requested. 

How frequently do I need to sign in with a temporary passcode?   

Once you have signed in with a temporary passcode, you are authenticated into the account for the length of your browser session which is 24 hours. After your browser session has ended, you will need to request another temporary passcode to start another 24-hour session.  

What if my account uses SSO (Azure AD or LDAP) to log-in?   

If your Admin has set up your account to use Azure AD or LDAP authentication with Single Sign-On, they will need to enable the temporary passcodes feature in the Enabling Temporary Passcode section above. This will allow the users to sign in with a temporary passcode for a shared mailbox. For non-shared email addresses, users will still be able to sign in with their AD or LDAP credentials.   

How do I request a new temporary passcode?   

Press the resend temporary passcode link on the Enter temporary passcode page. If requested for a shared mailbox or distribution group, please wait a couple of minutes before requesting a new passcode as multiple emails may be sent to everyone in your shared mailbox or distribution list.  

What if I am still having trouble signing in?   

Please contact Barracuda Networks Technical Support at https://www.barracuda.com/support to help you log in or escalate your issue to the correct team.  

Related Campus Articles:

• https://campus.barracuda.com/product/emailgatewaydefense/doc/96023043/quarantine-notifications/

• https://campus.barracuda.com/product/emailgatewaydefense/doc/98227966/temporary-passcode-authentication/

When end users open their email digests going forward, they can still click “Manage Quarantine” or “View Message Log” buttons. However, these buttons will now direct them to the EGD login page prior to taking them into their account. Users can authenticate with their EGD account email and password, or through LDAP or Azure AD.  

Currently users that are members of a shared mailbox or distribution list will have to go through their account administrator to make adjustments to their quarantine mail. The EGD team is actively working on an alternative authentication approach for shared mailboxes. 

Admin feature "Require login credentials to access quarantined messages" Disabled: 

When Admins log in and select the Users Tab à Quarantine Notification, there is a feature named “Require login credentials to access quarantined messages.” This feature has been enabled to “Yes” for all users and greyed out to ensure that all end users must log in to view their accounts. 

Frequently Asked Questions (FAQs): 

What if I don’t know my password?  

If you have an EGD managed password/account login, you will be redirected to the EGD login page. Enter your email address and click “Next.” 

Once on the password submission page, click “Send login information.” This will trigger a password reset link to be sent to your email address. Go to your email to use the password reset link. 

What if I use Azure AD or LDAP to login?  

If your Admin has set you to have Azure AD or LDAP authentication with Single Sign-On, you will be automatically redirected to the AD or LDAP page for entering your credentials.  

What if I am a member of a shared mailbox or distribution list?  

If you are a member of a shared mailbox or distribution list, you will need contact your administrator to manage your quarantine, i.e. releasing an email or adding/removing a sender policy.  

What if I am still having trouble logging in?  

Please reach out to Customer Support at 1-408-342-5300. Our support team will be able to help you log in or escalate your concern to the EGD team.