Skip to main content

How to use two-factor authentication (2FA)

Note

Starting April 2025, we are gradually introducing Login 2.0 for our customers, which includes an improved two-factor authentication. You can identify the appropriate guide in this article by the menu title under "Settings | mailbox.org":

What is Two-Factor Authentication?

Two-Factor Authentication (2FA for short) is an additional security measure that requires two different forms of verification to confirm a user's identity. This method typically combines the password with a TOTP code (Time-Based One-Time Password).

2FA significantly enhances security by reducing the risk of unauthorized access to accounts or systems, even if a password is compromised. It provides an additional layer of protection since attackers would need not only the password but also the TOTP code.

Overview of 2FA Methods at mailbox.org

Note

Software Token (2FA App)

Also known as "soft" 2FA or OTP generator. All OATH-, TOTP-, HOTP- or mOTP- generators are compatible. You will need a smartphone and a 2FA app (e.g., KeePass, Bitwarden, or Apple Passwords).

info

For Android, make sure the 2FA app comes from a trusted source, such as F-Droid.

Hardware Token

  • YubiKey from mailbox.org: These YubiKeys are authenticated against a YubiKey server that we operate ourselves. This means no data is synchronized with the YubiCloud.
  • YubiKeys from Yubico: You can also use a YubiKey purchased through other vendors from the manufacturer Yubico. In this case, authentication is performed with the thirdparty YubiCloud.
  • HOTP or TOTP compatible tokens: for example, Nitrokey Pro or Nitrokey Storage.

Activate 2FA - Software Token

Warning

If you have 2FA enabled and lose access to your 2FA app or YubiKey, resetting your password is only possible if you have set up a password reset method for your account.

Improved Setup with TOTP code

Navigate to "Settings | mailbox.org | Two-factor authentication" (1) to set up a TOTP (time based one-time password) in just three steps:

  1. Name your device (2).
  2. scan the QR-code with your TOTP-app (for example Bitwarden, Keepass or Apple Passwords) (3) or enter the code manually.
  3. enter the TOTP-code generated by your app in the specified text field (4) and click on "Check code and activate TOTP" (5) (figure 1).


Figure 1

Done. The next time you log into the web client, there will be an additional prompt for the TOTP-code.

info

If you retrieve your emails using an external client (e.g. Thunderbird) and enable two-factor authentication, you will need to create a dedicated email app password for this client afterward. The standard login credentials will no longer be sufficient for security reasons.

Setup with PIN + OTP-Token

  • Access the settings page in your mailbox.org-Office by clicking on the cogwheel symbol in the upper right corner of the window mailbox.org → One Time Passwords:

a. Specify a four-digit PIN.
The PIN may contain uppercase and lowercase letters as well as numbers, but not any special characters. If you enter more than four characters, any excess characters will be trimmed and ignored.
Make a note of this PIN and keep it secure, either physically in a safe place, or by using a password safe application such as KeepassXC.

Make sure that both PIN fields contain the PIN before you continue.

b. Specify the desired security level.

We offer two different security levels for our two-factor authentication:

  • Web service OTP, other Services password**:** This is the most common level for two-factor authentication at mailbox.org, and similar to how the majority of e-mail providers handle 2FA. You log in to the web interface using a PIN and one-time password. However, all other services such as IMAP, POP3, SMTP, WebDAV, CalDAV, CardDAV or ActiveSync will not use 2FA and require your (normal) password to be entered. You can continue to use local e-mail clients on your PC or smartphone, synchronize calendars with other devices, and so on.

  • Web service OTP, other Services off**:** This is a security level for special use cases that is only available at mailbox.org. After choosing this option, you will only be able to log in to the web client at https://www.mailbox.org using a PIN and a one-time password. All other services will be disabled for your account. This also means that you cannot use local e-mail clients or synchronize any data with mailbox.org.

c. Select the OTP method: OTP generators and other YubiKeys

**Screen snapshot: How to set up a soft token. For details on the individual steps a - g, please refer to the relevant descriptions in the text.
**

d. Create a token that will work with your device. It is usually safe to use any suggested setting.

Android: FreeOTP, Google Authenticator Also available to iPhone users through the iOS OTP app.

To continue, the required software needs to be installed on your device. Open the app and authorize camera access, if asked.

Click on the correct menu item to scan the QR code. With FreeOTP+, this can be achieved by accessing the three-dot menu in the upper-right corner of the screen.

Once QR scanning is working on your device, go back to the mailbox.org office and click on the button enroll your token. A QR code will appear on the page. Scan the QR code using the token generator app on your device.

If everything went well, then the token will be displayed on your device’s token generator app – the example below is from an Android 9 device, using FreeOTP+:

Setting up a mailbox.org Yubikey

Access the settings page in your mailbox.org-Office by clicking on the cogwheel symbol in the upper right corner of the window mailbox.org → One Time Passwords:

a. Specify a four-digit PIN.
The PIN may contain uppercase and lowercase letters as well as numbers, but not any special characters. If you enter more than four characters, any excess characters will be trimmed off and ignored.
Make a note of this PIN and keep it secure, either physically in a safe place, or by using a password safe application such as KeepassXC.

Make sure that both PIN fields contain the PIN before you continue.

b. Specify the desired security level.

We offer two different security levels for our two-factor authentication:

  • Web service OTP, other Services password**:** This is the most common level for two-factor authentication at mailbox.org, and similar to how the majority of e-mail providers handle 2FA. You log in to the web interface using a PIN and a one-time password. However, all other services such as IMAP, POP3, SMTP, WebDAV, CalDAV, CardDAV or ActiveSync will not use 2FA and require your (normal) password to be entered. You can continue to use local e-mail clients on your PC or smartphone, synchronize calendars with other devices, and so on.

  • Web service OTP, other Services off**:** This is a security level for special use cases that is only available at mailbox.org. After choosing this option, you will only be able to log in to the web client at https://www.mailbox.org using a PIN and a one-time password. All other services will be disabled for your account. This also means that you cannot use local e-mail clients or synchronize any data with mailbox.org.

c. Now select the OTP method: mailbox.org YubiKey

d. Insert the Yubikey into a free USB port on your computer and use your mouse to left-click into the empty form field that is situated next to OTP password test.
On the YubiKey, press once the golden button that has the Y symbol. A code will now be generated automatically and inserted into the form field that you just clicked on.

e. In the web interface, click on the green button hat says Perform OTP Passwort test.

f. If the test was successful, click the button Save.

Please take note the success message at the top of the page:

Finally, log out to finish the setup. Your two-factor authentication is now active. From now on, you will log in with your PIN in combination with the Yubikey's one-time password.