Why is the implementation of 2FA on this website so horrible?
So, like many others, I am very dissapointed in the implementation of 2FA on mailbox.org. Currently there are three options regarding 2FA:
Off, where there is no 2FA and the regular account password is used for all logins.
Web service OTP, other services password, where you need the OTP to login to the web service, but can use the normal account password for other services (like thunderbird)
Web service OTP, other services off, which is the same as above, except other services cannot be logged into (thunderbird etc is not usable).
All of these options are bad. Not having 2FA on IMAP services sort of defeats the point, because any potential bad actors can completely bypass 2FA by connecting via IMAP instead of the web interface. Turning these services off does solve these problems, but it's not a good soloution, and honestly extremely misleading marketing. It's sort of like selling a house where "the doors can be locked", but only the front door can actually be locked, and the soloution for the other doors and windows is to just barricade them. What if I want to look outside a window, or use the back door? (like checking my email on my phone, as there is no android app for mailbox.org)
Well, then I just have to live with the fact that anyone can open my window or back door and walk into my house.
All of this is not even considering the fact that the current implementation (PIN and OTP in the password field) is a terrible user experience and very unintuitive. I honestly think this had made multiple users refrain from using OTPs, which is the exact opposite effect of what we want.
To end this rant, I want to propose a soloution: just do what all the others are doing. Just make a normal implementation, that isn't confusing, and doesn't need a support article to understand how to log in again. Nextcloud, for example, does this very well:
Normal password and then OTP when logging in to website and supported clients, and unsupported clients can use app-specific passwords. At the very least this is as secure as the current mailbox.org implementation, and a lot more intuitive.
Please, for the love of all that is mighty, consider this. Thank you.
I like this idea 
I agree to implement what is now a "standard": password+otp and app specific password for other services.
Anyway i don't think a specific password for imap is more secure than the current implementation.
Now you have pin+otp for website and one global specific password for other services.
I agree to implement what is now a "standard": password+otp and app specific password for other services.
Anyway i don't think a specific password for imap is more secure than the current implementation.
Now you have pin+otp for website and one global specific password for other services.
@max: I got exactly the same thoughts. The current solution ends up in the situation that only the password option will be used by lots of users as they don't lookup each time for the OTP.
Two proposals/wishes from my side
- PIN (or password) + OTP would be fine if there would be an option to define trusted devices. So one can decide of one or two devices (e.g. at home) are trusted and all other devices need PIN (or password) + OTP to login
- An app-specific password should be generated by the webmailer. The option to leave it to the user to choose a password leads to weak passwords
Hope some reads that posts here.
@max: I got exactly the same thoughts. The current solution ends up in the situation that only the password option will be used by lots of users as they don't lookup each time for the OTP.
Two proposals/wishes from my side
- PIN (or password) + OTP would be fine if there would be an option to define trusted devices. So one can decide of one or two devices (e.g. at home) are trusted and all other devices need PIN (or password) + OTP to login
- An app-specific password should be generated by the webmailer. The option to leave it to the user to choose a password leads to weak passwords
Hope some reads that posts here.
I'm really glad the community in general feels strongly about this issue, thank you to other posters for using their time to express their opinions as well. I hope to see some kind of acknowledgment from mailbox.org team about this problem. 2FA needs to be better.
I'm really glad the community in general feels strongly about this issue, thank you to other posters for using their time to express their opinions as well. I hope to see some kind of acknowledgment from mailbox.org team about this problem. 2FA needs to be better.
I too would love a "standard" two factor authentication implementation where I can use an authenticator app like Aegis to register and obtain OTP to verify my authentications. Hope this gets implemented soon.
I too would love a "standard" two factor authentication implementation where I can use an authenticator app like Aegis to register and obtain OTP to verify my authentications. Hope this gets implemented soon.
I second this. I know friends and family members that haven't turned it on because it's so complicated / different to all the other websites out there.
I second this. I know friends and family members that haven't turned it on because it's so complicated / different to all the other websites out there.
Apparently the now available beta program offers better 2FA experience: https://userforum-en.mailbox.org/topic/lets-talk-about-2fa-on-this-website-again#comment-3733
I did not yet test it myself.
EDIT: I've just realized that Yubikeys are not supported in the new 2FA login process -- this is disappointing.
Apparently the now available beta program offers better 2FA experience: https://userforum-en.mailbox.org/topic/lets-talk-about-2fa-on-this-website-again#comment-3733
I did not yet test it myself.
EDIT: I've just realized that Yubikeys are not supported in the new 2FA login process -- this is disappointing.
The most secure option would be PassKeys following the FIDO2 standard. Ideally, these should be stored on a YubiKey used across all devices and applications. However, there’s no issue with having multiple PassKeys stored on the security chips of your various devices.
Currently, no email client supports PassKeys, but this doesn’t mean support won’t be added in the future.
With PassKeys, passwords are no longer necessary. They rely on asymmetric cryptography, where the private keys are typically protected by hardware within your device. On compatible devices, these keys can also be accessed through biometric authentication if desired.
Adding a second factor, such as a TOTP authenticator app, would be optional. Even without it, PassKeys offer significantly higher security than passwords and many common two-factor authentication (2FA) methods. For example, SMS-based 2FA is still widely used, despite being vulnerable to attacks that exploit weaknesses in the aging SMS standard, making it relatively easy for attackers to hijack mobile phone numbers.
That said, PassKeys—often poorly translated into German as "Hauptschlüssel"—are primarily adopted by mid- to large-sized English-speaking or international websites. German websites, unfortunately, lag behind in this area. For instance, while Telekom recently introduced PassKey support, it lacks compatibility with YubiKeys. Moreover, only a handful of German websites support 2FA, whereas its adoption is far more widespread among English-speaking websites.
It’s frustrating to see Germany trailing in this area, especially when many ready-to-use templates are available online for implementing 2FA and PassKeys in a matter of minutes. Despite the abundance of tools and resources, Germany still feels stuck in "Neuland" (uncharted territory).
The most secure option would be PassKeys following the FIDO2 standard. Ideally, these should be stored on a YubiKey used across all devices and applications. However, there’s no issue with having multiple PassKeys stored on the security chips of your various devices.
Currently, no email client supports PassKeys, but this doesn’t mean support won’t be added in the future.
With PassKeys, passwords are no longer necessary. They rely on asymmetric cryptography, where the private keys are typically protected by hardware within your device. On compatible devices, these keys can also be accessed through biometric authentication if desired.
Adding a second factor, such as a TOTP authenticator app, would be optional. Even without it, PassKeys offer significantly higher security than passwords and many common two-factor authentication (2FA) methods. For example, SMS-based 2FA is still widely used, despite being vulnerable to attacks that exploit weaknesses in the aging SMS standard, making it relatively easy for attackers to hijack mobile phone numbers.
That said, PassKeys—often poorly translated into German as "Hauptschlüssel"—are primarily adopted by mid- to large-sized English-speaking or international websites. German websites, unfortunately, lag behind in this area. For instance, while Telekom recently introduced PassKey support, it lacks compatibility with YubiKeys. Moreover, only a handful of German websites support 2FA, whereas its adoption is far more widespread among English-speaking websites.
It’s frustrating to see Germany trailing in this area, especially when many ready-to-use templates are available online for implementing 2FA and PassKeys in a matter of minutes. Despite the abundance of tools and resources, Germany still feels stuck in "Neuland" (uncharted territory).
@Frederik Fischbach:
I looked into the new 2FA system, and it definitely seems better than what we had before.
Also, YubiKeys are supported in both the old and the new system—just not the cheaper Yubico Security Keys, which only support FIDO2/PassKeys. However, the "standard" YubiKeys fully support OAUTH-TOTP.
By using the Yubico Authenticator App, you can either scan the QR code or enter the TOTP seed. This information is then securely stored on the YubiKey (non-exportable), which is far more secure than traditional authenticator apps. Most apps store the TOTP seeds either on disk, SD cards, or even in the cloud, making them less secure in comparison.
@Frederik Fischbach:
I looked into the new 2FA system, and it definitely seems better than what we had before.
Also, YubiKeys are supported in both the old and the new system—just not the cheaper Yubico Security Keys, which only support FIDO2/PassKeys. However, the "standard" YubiKeys fully support OAUTH-TOTP.
By using the Yubico Authenticator App, you can either scan the QR code or enter the TOTP seed. This information is then securely stored on the YubiKey (non-exportable), which is far more secure than traditional authenticator apps. Most apps store the TOTP seeds either on disk, SD cards, or even in the cloud, making them less secure in comparison.
Replies have been locked on this page!