Welcome to the mailbox.org user forum!

Is it possible to use IMAP with two-factor authentication (2FA) enabled?

6458976 shared this question 2 years ago
Need Answer

I want to use my e-mail with 2FA and I want to know if it will be possible to keep using IMAP when I setup 2FA. Also, will programs using IMAP prompt me for 2FA all the time?

Comments (2)


IMAP does not support 2FA. However, you can choose to protect your web login with 2FA and let IMAP authenticate only with your username and account password (how you probebly usually authenticate with IMAP). Just select "Web Service OTP, other Services password" when you enable 2FA

Note that Mailbox 2FA does work in a different way than most services that have 2FA. Read more about it here: https://userforum-en.mailbox.org/knowledge-base/article/is-there-a-two-factor-authentication


What I have wondered about this is if it would be possible to authenticate through OAuth2 and thus have 2FA TOTP code. People mention "application specific passwords" that was an old Google terminology. That is still possible, Google now refers to these as "less secure app access".

Not all mail clients support this. In fact I think Thunderbird is the only one which I've seen that does. It requires an XML AutoConfiguration file.

For example Google, when you enter an address ending in @gmail.com it will automatically locate the autoconfig file. A little contextual window (which is the actual Google login will appear). That window is limited to that page specifically. You can see the URL in the loginPage parameter.

It looks as if Open-Exchange does support E-Mail Authentication with OAuth 2.0. See Mail access via XOAuth2 or OAUTHBEARER.

In time it should be even possible to authenticate with WebAuthn, when OX is updated to support that. OAuth is the way to 'authenticate' in more complex ways than a simple password.

Obviously this would require changes at Mailbox, and authenticating with your Google Account is probably not what people have in mind, so Mailbox would need to become their own OAuth provider I guess.