Tutanota now also supports U2F on desktop clients!

Two-factor authentication is a must for a secure email service to make sure that no one can take over your private email account.

We are happy to announce that U2F support (hardware keys) has just been added to the Tutanota desktop clients for Linux, Windows and Mac OS. Now you can use the most secure option to secure your login credentials also on our open source desktop clients!


Tutanota focuses on security and privacy so we are working hard to add U2F authentication to all clients of Tutanota. The webmail client of Tutanota has supported U2F for a couple of years already, which security professionals consider as the most secure method of two-factor authentication.

Now you can now also secure your encrypted mailbox with U2F on all open source desktop clients of Tutanota.

After this release, we will start working on U2F support for our mobile apps on Android and iOS. We are really excited that we can bring such an important security feature to all Tutanota users!

Desktop clients improving quickly

As you all know, Tutanota does not support IMAP since supporting IMAP would weaken Tutanota’s encryption. As an encrypted email service that promises to always keep your data secure, we simply can not implement a feature that destroys this promise.

Technically, supporting IMAP is only possible if the emails were downloaded to your computer not encrypted. However, at Tutanota we promise that your data is always end-to-end encrypted, also on your own devices! So instead of supporting an insecure feature, we are focusing on improving our open source desktop clients.

In the past year alone, we have:

And what makes us even more excited: We are currently also working on offline mode so that you can access your encrypted Tutanota mailbox even when you do not have access to the internet soon!

Why use the desktop clients?

The desktop clients allow us to integrate deeper into the operating system which enables us to achieve a better user experience. The MAPI support on Windows that gives you the option to “send document as email” directly from within a file is just one example of this.

Our dekstop clients are much advanced as they can

  • Open files
  • Send notifications for new emails and calendar reminders
  • Use the system secret storage
  • Spell check for multiple languages
  • Set Tutanota as default mail handler
  • Check the signature automatically upon client updates for best security
  • Installation policy for business use

While it is not a must, we strongly recommend that you add a second factor to your Tutanota account to protect your mailbox to the maximum. We already protect your mailbox with automatic end-to-end encryption. With two factor authentication, you can add an extra layer of security to your login credentials to prevent your login from being breached.

To make sure that you yourself do not lose access to your Tutanota account, we also recommend that you add two second factors to your encrypted mailbox. This makes sure that you are still able to login to your Tutanota account in case you lose your U2F key or access to the authenticator app.

And, as always: Please write down your recovery code! Once you enable two fator authentication, you need two out of three to reset your password or second factor. Here we explain how to reset your Tutanota account credentials. You will notice, it is only possible if you have your recovery code available.

Comparison of different options for two-factor authentication (2FA)

Security device: U2F (supported)

  • most secure option
  • private key is stored locally on U2F device
  • guarantees protection against man-in-the-middle attacks (MITM) and phishing
  • requires a hardware device
  • no manual entry required

Check out our guide on how to prevent email phishing.

Authenticator app: TOTP (supported)

  • an app generates codes that are only valid for a short period of time (Google Authenticator, Authy, etc.)
  • manual entry required upon every login
  • requires no hardware device
  • does not protect the mobile device login because app on mobile device generates second factor

Authenticator app: HOTP

  • an app generates codes that are valid forever (Google Authenticator, Authy, etc.)
  • codes need to be stored securely
  • manual entry required upon every login
  • requires no hardware device
  • does not protect the mobile device login because app on mobile device generates second factor

SMS code

  • code is sent via SMS
  • manual entry required upon every login
  • least secure as SMS can be easily intercepted
  • requires no hardware device
  • does not protect the mobile device login because SMS on mobile device contains second factor

The latter options - HOTP and SMS code - are not supported in Tutanota as these are not considered secure enough.

Please find details on how to add your second factor here.

Secure your login credentials now! Happy encrypting. 😀


Please also read our email security guide to learn how to best protect your online identity.