Welcome to the mailbox.org user forum!

Two-factor authentication, iOS and macOS (app-specific password)

7201488 shared this question 3 years ago
Need Answer

Question 1:

I have set up 2fa for my mailbox account, and I have chosen Google authenticator as the key generator. I want to keep using Apple's mail.app, how do I create an app-specific password for both iOS mail.app and macOS mail.app? (From what i know from my Google account with 2fa turned on, you have to create an app-specific password when you use your mail in an application)

Question 2:

In mailbox's 2fa setup page under "OTP security level" what is the difference between:

"Web service OTP, other services password" and "Web service OTP, other services off"? I have tired them both and there is no difference in the login procedure.

Comments (2)


Re question 1:

Mailbox.org has a slightly different set-up / wording. If you enable 2FA, you use a Pin + second factor to log into webmail. The thing that mailbox.org calls password is then used as the password for your apps, so in a sense its the equivalent to Google’s application specific passwords, except it’s not application specific.

Re question 2:

If you choose „Web service OTP, other services password“ you can access your email, contacts, calendar, … in your apps using the password. If you choose „Web service OTP, other services off“ you can only access your account within your browser. This is more secure given you need 2FA for every access but you can’t use your apps anymore.


Re question 1:

Isn't rather unsafe to not have an app-specific password?

In the end you either have to choose between security or practicability?


Hi and sorry for the delayed response:

You're probably right that a password that can only be used in conjunction with a specific device would be safer. For this to work mailbox.org would however have to track and fingerprint all of devices to make sure that only device A can log-in with password B. And this is probably diametrically opposed to mailbox.org privacy stance.

So yes it seems to be a security / privacy trade-off. The other question is how you think about the importance of this risk. Personally I've decided that the combination of password for my main devices (within trusted apps) + 2FA for everything I have less control over is good enough. I'm most worried about infected PCs that I don't control and if my devices are compromised I probably have a problem anyway. But in the end it's of course an individual choice :)