Multi-factor authentication is not a luxury anymore, it's a basic necessity for any service that truly puts a high value on privacy.
Our brand-new beta client now supports 2FA with U2F (eg YubiKey) as this is the most secure option and TOTP. More options will follow so let us know which you prefer! :) Please access the new client here: https://mail.tutanota.com/
You can find more details about our new client on our blog: https://tutanota.com/blog/posts/secure-mail-public-beta-release
You can find more details on 2FA in our FAQ: https://tutanota.uservoice.com/knowledgebase/articles/1201942-how-does-two-factor-authentication-2fa-work-in-t
Do you like the improvements of our brand-new beta client? Feel free to upgrade to Premium (it’s only 1 Euro per month) and support our developers! Thank you. :)
Ok, yes, it may also simply add to the security appeal of tutanota to implement this. So it would be great if you could implement support for FIDO U2F. Looks like it's going to be supported by Windows 10, which may well raise awareness and demand for this. See for example https://www.yubico.com/applications/fido/ -- well, depending on the model, the yubikey covers considerably more options (OTP, OpenPGP), so the more expensive models probably don't address the same target group as your current product. But the simple basic FIDO U2F yubikey is quite affordable.
David W DeWitt Sr commented
" May Be." I,am way off Base.' Yet if Tutanota is HAS GOOD HAS I SUSPECT IT IS." Why would one Need,2 STEP.Authenticity' With Encryption End to End. And They are Serious.ABOUT THERE CUSTOMERS PRIVACY.Has I,am told. ' One shouldn,t need the 2nd Step. " PERSONALLY. I,am more Woried About the MORE SERIOUS PROBLEM.' And that " ISN,T A HACKER. ITS MORE OF THE CORRUPT GOVERNMENTS, GETTING IN. To steal info for there Control.Of mankind.For there NEW WORLD ORDER.
Any Google-Type (FreeOTP Authenticator in my case) would be one option. Yubikey would be the next step ahead.
In principle, I think two factor authentication is an excellent idea.
In practice, I think using a smartphone app for two factor authentication is such a bad idea, I have to slap my head every time I see this becoming the preferred method for banks, email, etc.
A smartphone, that one carries everywhere, is the most likely thing one could lose or have stolen. This can readily put into the hands of a thief both your username and the very device they need to employ your two factor authentication. The thief will have a device on which they have both the app identifiying your email provider or bank account and the secondary authentication app. That's really not two factor authentication. It's one device, in the hands of one thief, it's one factor. There's a reason the secondary means of authentication needs to be a physically different device.
In addition, the security on smartphones is not good. The firmware on iOS and Android is closed source and probably contains deliberate backdoors. Other "flaws" that allow backdoors on both OSes have been discovered in the recent past and the NSA is known to have developed an exploit for an iOS backdoor. From both state agencies and sophisticated criminal attackers, the potential to sniff information in two factor apps on smartphones is non-trivial. And if your device is compromised, then the attacker will be able to sniff both your username/password and the secondary authentication code, making the latter pointless.
Yes, smartphone apps are a super convenient way to do this. They are also a super insecure way to do this. Of course, this also means that using the Tutanota apps to check your email (rather than on a computer browser) comes with a security compromise.
I like something like the Yubikey, although it is obviously not the most convenient solution and to be worthwhile, you probably should not use the Tutanota smartphone apps and only use Tutanota on a computer.
Yuri Ramos commented
Using google authenticator would be enough and it doesn't require your cellphone number.
An optional two-step authentication would be great, I think.
Yubi key support! Now with the FIDO alliance this so easy and will get all the Yubikey users to use tutanota
Make it optional, of course. One of the main reasons I ran from google, yahoo and others was the extortion of my cell phone number. Now my yahoo adress is blocked until I give them my number "for my own safety". I'll pass, thanks. Assholes. That's how I found tutanota.
I'm good with Authy or Google Authenticator.
Integration with Authy would be exceptionally nice.
"As long as it doesn't require any identifiable information such as cell phone number."
I'm not in disagreement. As long as it doesn't require any identifiable information such as cell phone number.
Use of an authenticator app would be ideal.