Note: Our documentation pages are a work in progress! If you can't find the answers you need, please email us to let us know. We'll be happy to answer your questions.
Two Factor Authentication (2FA) can be used to improve the security of your account. When enabled, you need two things to log in: your password (the first factor), and a generated code from an app or device (the second factor).
This makes your account harder to hijack, since if one of your factors is stolen, you can still rely on the other to keep you safe.
We support two methods: Time-Based One-Time Passwords (TOTP) and Security keys.
This is usually an app on your phone which generates a code that changes every minute. To log in, you simply enter that code after entering your password.
You can use any TOTP app you want. Google Authenticator (Android or iPhone) is an adequate choice. When you add a new TOTP method, we provide you with a QR code you can scan or a link you can click to add your new method to Google Authenticator.
A security key is usually a USB device or other compatible service. It uses cryptography and some manual action from you (possibly a button press) to ensure security. To add a security key, make sure you are using a recent version of your browser, and follow instructions when your browser prompts you.
SMS codes are fairly insecure and are expensive to send. Phone numbers are not designed to be secure identifiers, and attackers may be able to perform a "SIM port hack" to steal your phone number and thus account.
It mitigates some of the risk of using a weak and reused password, but you should still use a strong and unique password anyway.
If you enable Two-Factor Authentication but need to use a third party IMAP or POP3 client which doesn't support it, you can create an app password to log in with them. App passwords give full access to your email, so treat them carefully. They cannot be used to log into the admin portal or change your password.
Note that spaces don't matter in an app password.
Backup codes are one-time use codes you can use for the Two-Factor Authentication step, in case you lose your access to your other methods. You should keep them in a safe place.
Backup codes can only be used by the user or administrative portals, not webmail or IMAP.
Currently, this is limited to devices for which you have active Webmail sessions. They will not require 2FA while logged in. You can revoke their trusted status at any time. As a current limitation, webmail sessions you have logged out of may still appear here.