I suggest you ...

2-factor Authentication

Multi-factor authentication is not a luxury anymore, it's a basic necessity for any service that truly puts a high value on privacy.

1,426 votes
Vote
Sign in
(thinking…)
Sign in with: facebook google
Signed in as (Sign out)
You have left! (?) (thinking…)
Anonymous shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

Our brand-new beta client now supports 2FA with U2F (eg YubiKey) as this is the most secure option and TOTP. More options will follow so let us know which you prefer! :) Please access the new client here: https://mail.tutanota.com/

You can find more details about our new client on our blog: https://tutanota.com/blog/posts/secure-mail-public-beta-release

You can find more details on 2FA in our FAQ: https://tutanota.uservoice.com/knowledgebase/articles/1201942-how-does-two-factor-authentication-2fa-work-in-t

Do you like the improvements of our brand-new beta client? Feel free to upgrade to Premium (it’s only 1 Euro per month) and support our developers! Thank you. :)

133 comments

Sign in
(thinking…)
Sign in with: facebook google
Signed in as (Sign out)
Submitting...
  • Jay commented  ·   ·  Flag as inappropriate

    Suppose I send an email to someone without a Tutanota email address. Could I require 2-factor authentication for that person to open the email? Agreed to in advance of course.

  • abby commented  ·   ·  Flag as inappropriate

    Definitely a necessity at this time. I thank the whole team for all their hard work

  • Michael Corsa commented  ·   ·  Flag as inappropriate

    If you are still looking for a good two-factor authentication provider, pay attention to Protectimus - https://www.protectimus.com/. They offer a complex 2FA solution - software part and various tokens starting from SMS and free Android/iOS smartphone app to different kinds of hardware OTP tokens. And the prices are relatively low.

  • iddno commented  ·   ·  Flag as inappropriate

    Im just waiting for this so i can swap all my emails over to Tutanota. But it just doesn't feel good/right without 2 step verification.

  • Anonymous commented  ·   ·  Flag as inappropriate

    I agree that two-factor is an absolute necessity, especially for one's main email account!

    I support Yubikey, and would love to see that implemented.

    Thanks!

  • JD commented  ·   ·  Flag as inappropriate

    I also agree with ANN. on everything she stated below . . .

    But the most important is her first statement / request....
    1. Tutanota MUST (please) permit the option of a username that is NOT part or all of the users's email address[es]!!!

    I do believe that the EASIEST way for a email provider to allow hackers guess login info is to only allow users to use their email address as username login.

    That is the number ONE (1) most INSECURE requirement on the entire internet.

    If you allowed users to be able to use any username they can use and the GRAND ability to change that at will, whenever, that would be a super great 2 factor login situation to begin with.

    Example....
    username= 9o2$1@@0o^o^
    Password = 8((20ok5*&!

    WOW, figure that our govment! LOL!

    And all copied and pasted with user using a VPN over a HTTPS.

    HooRa gang!

    Than maybe the rest of the email providers can play "Catch UP!" GRIN!

  • JD commented  ·   ·  Flag as inappropriate

    Hey thanks for voting for this option....

    It is easy for the client user to log in to a double factor login with Keepass. User copies and pastes username and password into correct boxes in Keepass.
    And save the login URL in corrosponding URL box.
    Than I place the 2nd pass phrase into the "Notes" box as first entry.

    Click the URL to open page in new tab.
    Right Click on Main Entry again the to. . . Preform Auto Type
    Than highlight and copy from first entry in Notes, and past into 2nd factor login box.

    No keystrokes on the internet and besides I'm running Keyscrambler free, but with my long complicated passwords. and pass phrases I don't do typing. LOL!

    That works on Android with bfolders apk. I have not tried Keepass4droid yet, but soon.

    Even tho I use a LARGE font settings in Firefox and Chrome the font is to small for typing large pass phrases etc.

  • Trader commented  ·   ·  Flag as inappropriate

    Please support Duo Security as two factor authentication with Duo Push. It's much more convenient to just approve / reject login requests directly from the app instead of retype some code into the login window.

  • Ann commented  ·   ·  Flag as inappropriate

    I care more about tutanota FIRST ensuring that we can properly "lock the doors" before (instead of) needing "armed gusrds" for doors not fully locked in the first place.

    This means:

    1. Tutanota MUST (please) permit the option of a username that is NOT part or all of the users's email address[es]!!!

    2. Security-conscious users will (a) use a secret username--not their email; and (b) a strong password.

    That's a lot of security. It's shamefully dangerous for any app or site to require users to abandon part of their security by requiring email addresses (or any public username) as username login.

  • phillip commented  ·   ·  Flag as inappropriate

    I would like to see an option for Yubikey, but I think TOTP should be available too as I frequently access my email from my tablet that doesn't have NFC.

  • SwissTengu commented  ·   ·  Flag as inappropriate

    In fact, a bunch of different, optional (and additional) solutions might be interesting.
    For exampe, LastPass allows to use many solutions, from SMS to yubikey, via GAuth app and so on, and we might addition (well, I didn't test this point, but nothing seems to be against that).
    Of course, using multiple second factor might be bad, BUT, imagine:

    you're under pressure, someone nasty wants access to your account. In case you're coerced to enter your account, you might play with multiple factors: using GAuth first, then SMS, might lead to your normal account; But using SMS then GAuth, you might get some dummy account, with non-sensitive content — this rejoins another proposal in here, using a "good" password and a "dummy" one, with some "vault" notions.

    Of course, this way is more complicated. It involves a lot of dev and, for end-users, a lot of headache if they don't really understand what they are doing.

    Point is: allowing multiple way to do a 2-steps auth is the right way to do that. We see people wanting Yubikey, GAuth, and so on. Binding them to "only" one solution will make some go away, or prevent users to create accounts "because they don't like the second step solution". Which is a bad motive for not using tutanota service ;).

    Side note for anti-GAuth: why? It's offline, and the protocol is opensource, you might even use some Linux software in order to generate the token, based on the private key (which is a simple string).
    True the GAuth app requires Network, but, for using it for months now and locking it out of the network, I can assure you it's working perfectly without any Network access ;). Even the app is opensource and available on f-droid.

    As long as Tutanota doesn't implement *Facebook login" or "Twitter login", we're pretty safe ;).

Feedback and Knowledge Base