Two factor authentication list
 

The two factor authentication list twofactorauth.org has an email section that lists some of the commonly used email providers.

If some of your email providers are not listed, submit a pull request on their github repository to be included in the list.

If some of them don't support 2FA, click on the provided link corresponding to the providers in question (as I did for gmx.com) to post a tweet asking them to implement it.

thanks,nice info

I am skeptical about 2FA for email services such as IMAP,POP and SMTP protocols

The main point of 2FA, at least for me, is the ability to prevent changes of important account settings, e.g the main password or as an account recovery option. You are right, though -- 2FA doesn't work easily or reliably with these protocols; one may need separate passwords if the provider supports this.

No love for 2FA, this is strange.

There's definitely love for two factor authentication.

Sadly my e-mail provider doesn't support it.. I'll stick with them for 1 more year, if they don't support it until then, I'll need to look for alternatives, which there aren't many, sadly.

2FA is an absolute must in today's internet.

I'm getting to the point of being skeptical about anything requiring more identification. Reminds me of the contemptible way Outlook is trying to collect more information.

It all depends on what your needs are. I, absolutely, need 2FA on my business email account.

I would not pay for a service that did not offer it.

You could check out the link provided by the OP in this thread. In the page linked to, scroll down to the section on "email." That may be the most up-to-date list? :confused:

I'm looking to change e-mail provider and I absolutely require 2FA.

Sadly, 2FA is still something very rare, which I find really weird ://

If anyone knows about email providers that support 2FA and that are not presented in OP's link, please let me know!

Moderator's comment
 

The two threads in question are now merged.

Hardware 2FA
 

There are hardware 2FA options available for FastMail, mailbox.org, and now Google accounts. These are a durable, no-battery, physical USB key, which generates a unique one-time passcode* as the second factor authenticating you to your account. You register your key with the service in question. They fit nicely on a keyring and are more secure than verification codes, and don't require a cell phone and wireless signal.

The computer sees the USB key as an HID device, like a keyboard, so they can be used at any computer with a USB port. After you enter your base password in the browser you just touch the gold circle on the inserted USB key, the unique OTP is generated and transmitted, you are authenticated and logged in.

The Yubico YubiKey can be used with FastMail and mailbox.org. YubiKeys are $25 USD, available through Yubico and on Amazon**. Mailbox.org issues their own YubiKey for $35 euro.

The new FIDO U2F Universal Second Factor protocol, implemented on a U2F Security Key, can now be used for Google accounts with the Chrome browser. This is a very recent development, announced October 21 on the Google security blog. Chrome 38+ is required. The Yubico FIDO U2F Security Key is available on Amazon and Yubico for $18 USD, and user comments are very positive. FIDO U2F authentication is destined to become widely adopted. One U2F Security Key can be used for multiple accounts (distinct key pairs).

The YubiKey can be used with LastPass, KeePass and other password managers. It can be used with any modern browser. With the YubiKey there are two 'slots' you can use, one for the dynamic OTP function, the second slot can be configured for a long static password, OATH, or Challenge-Response.

For detail see Yubico's pages on the YubiKey, the U2F Security Key, and the YubiKey VIP (can also authenticate to PayPal and eBay).

I've used a YubiKey with FastMail and Clavid for over 3 years. It's tough, compact, convenient, and has been flawless in operation.

A couple differences between the two implementations. The U2F Security Key will not transmit (prompt) before it has verified you are on a legitimate, registered site. And with the YubiKey, you first set up a YubiKey-specific alternative password on your FastMail account, that is the base password you enter in the browser before the OTP is triggered. With Google's U2F you are using your regular Google account password in the browser.

--
FastMail 2FA options (YubiKey and Google Authenticator), and SMS OTP
Google U2F Security Key support

* FIDO U2F uses public key cryptography

** YubiKey and U2F Security Key available on Amazon US, CA, UK, ES, IT, DE, FR. Quick links at Yubico.

CounterMail (https://countermail.com/) seems to be a good e-mail provider that supports 2FA. Sadly, they're crazy expensive for me!!!

I can't find a good (and not crazy expensive) e-mail provider!

20 bucks a year is crazy expensive?

LuxSci also supports 2FA for its web interface. You can use any of these options:

1. token sent to you via text

2. token sent to an external email address

3. DueSecure.com integration (their accounts are free up to 10 users) which provides a wide array of options from pone apps to calls to hardware tokens.... including options for administrators if their users get locked out and reporting.

Fastmail is winning in the race to become my next e-mail provider. Sadly, they're Australia based with servers in the US. That's horrible, specially considering the new Australia's terror law. Their support also doesn't seem to be very good.

Just FYI, that web site appears to be down. I've tried three times over the past week to access it with no luck.

The website is working to me..

EDIT:

Someone should submit a "Pull Request" on their GitHub page and add posteo.de and mailbox.org.

I've no idea how to do it..

mail.de is also supporting U2F...! Now there is a special program if you sign up via emailtester.de.

They give you an inicial storage of 10 gigs...and it gets larger if you need it. All for free. And NO ads in the web interface:-)

Only thing could be, that they only accept clients from germany..! (sadly) They want an address AND a cellphone number,like most german mail providers.

You can try signing up from another country but I don't know if that works.

Dutchie.

I realise I'm behind here and how odd this question will be like, but ... 2FA means that to access an account (be it a webmail account or other internet service) you have to enter your username, password AND an ever-rotating code sent through SMS ; is that correct?

Hi. Two factor authentication means that there are 2 pieces of information used to verify your identity. It really doesn't matter what those two things actually are. It is common for them to be a password and an SMS token, but in truth, you can just pick any 2 things from the following (definitely not exhaustive) list:

* password
* SMS Token
* A token pushed to an authorized application on your phone
* Touching "yes" or "i approve" on a special application on your phone.
* A Token emailed to a separate email address
* A rotating number read off of a hardware fob (e.g. a RSA hardward token)
* A client-side TLS certificate
* A fingerprint reader
* An iris scanner
* A second, unrelated password
* etc.

It is generally though that a good 2FA scheme uses something you know (e.g. your password) together with something you have (e.g. your phone) so that it is harder to compromise.

It is important to note that the security of SMS-based tokens is not that great against a determined attacker:

https://www.wired.com/2016/06/hey-st...uthentication/

https://luxsci.com/blog/sms-is-broke...text-ephi.html

A fingerprint scanner :eek: Is there any email service that would offer that option ?


Anyways, I think SMS as an extra on top of the password isn't bad, most people wouldn't even be aware of 2FA's existance, let alone use it. So any added authentication factor seems like a good security measurement, realising that the average internet user probably doesn't even use 2FA.