Note: Our documentation pages are a work in progress! If you can't find the answers you need, please email us to let us know. We'll be happy to answer your questions.
Two Factor Authentication
Two Factor Authentication (2FA) can be used to improve the security of your account. When enabled, you need two things to log in: your password (the first factor), and a generated code from an app or device (the second factor).
This makes your account harder to hijack, since if one of your factors is stolen, you can still rely on the other to keep you safe.
Methods #
We support two methods: Time-Based One-Time Passwords (TOTP) and Security keys.
Time-Based One-Time Passwords (TOTP) #
This is usually an app on your phone which generates a code that changes every minute. To log in, you simply enter that code after entering your password.
You can use any TOTP app you want. Google Authenticator (Android or iPhone) is an adequate choice. When you add a new TOTP method, we provide you with a QR code you can scan or a link you can click to add your new method to Google Authenticator.
Security Keys #
A security key is usually a USB device or other compatible service. It uses cryptography and some manual action from you (possibly a button press) to ensure security. To add a security key, make sure you are using a recent version of your browser, and follow instructions when your browser prompts you.
Why not SMS codes? #
SMS codes are fairly insecure and are expensive to send. Phone numbers are not designed to be secure identifiers, and attackers may be able to perform a "SIM port hack" to steal your phone number and thus account.
Is 2FA a substitute for using a strong, unique password? #
It mitigates some of the risk of using a weak and reused password, but you should still use a strong and unique password anyway.
App Passwords #
If you enable Two-Factor Authentication but need to use a third party IMAP or POP3 client which doesn't support it, you can create an app password to log in with them. App passwords give full access to your email, so treat them carefully. They cannot be used to log into the admin portal or change your password.
Note that spaces don't matter in an app password.
Backup Codes #
Backup codes are one-time use codes you can use for the Two-Factor Authentication step, in case you lose your access to your other methods. You should keep them in a safe place.
Backup codes can only be used by the user or administrative portals, not webmail or IMAP.
Trusted Devices #
The "Trusted Devices" section in the user management section shows devices for which you have active Webmail sessions. You can revoke their trusted status at any time.
Trusted Devices will expire three months after last use, or one week after last use if another device with the same IP is active.