Update of your secure mail client: Tutanota adds 2FA support

We recommend U2F as the most secure version of two-factor authentication.

Your secure mail service Tutanota has just become more secure! We are happy to announce that we have enabled two-factor-authentication (2FA) for our encrypted Tutanota beta client. We are now working hard on making the client ready for the public beta release in September.


At Tutanota we are committed to developing the most secure mail service to protect everybody’s universal right to privacy. Our built-in end-to-end encryption makes sure that only you with your password can decrypt your mailbox. And while we already make sure that it is close to impossible to get access to your password via brute-force attacks, particularly if your password is long enough, a minor risk that someone steals your password, e.g. by installing a keylogger on your device, remains. This is where two-factor authentication comes in.

Two-factor authentication immensely increases the security of your account by requiring something you have (e.g. a hardware token) in addition to something you know (e.g. your password) to allow you to login to your secure mail account. Because Tutanota users know how important maximum security is, 2FA-support is also one of the most voted-for features by our community.

Check our password security guide to learn more about how to secure your online accounts and our tips on maximizing your login security.

Secure emails are now protected with 2FA

Our developers and cryptography professionals have carefully reviewed and tested lots of methods for two-factor authentication. The most secure option for 2FA is U2F, which the Tutanota beta client now supports (see comparison below). It is also the most convenient one as you can simply plugin the U2F device to login to your account without the necessity of entering codes manually.

U2F is an open authentication standard that strengthens and simplifies two-factor authentication using specialized USB or NFC devices.

The private key that allows access to your account is stored locally on this device. When you plugin the 2FA-device, the authentication request is sent to the server that allows you to login to your account.

Chrome and Opera are currently the only browsers supporting U2F natively. Mozilla is integrating U2F support into one of the next versions of Firefox.

Even though, we and the security community, consider U2F as the most secure option, support for other options (TOTP) is also planned.

Comparison of different options for 2FA

  • most secure option
  • private key is stored locally on U2F device
  • guarantees protection against man-in-the-middle attacks (MITM) and phishing
  • requires a hardware device (Yubico app will work as software token in the future)
  • only works in Chrome & Opera, upcoming support for Firefox & Edge
  • no manual entry required

Read also our guide on how to prevent email phishing attacks.

Authenticator app: TOTP (supported)

  • an app generates codes that are only valid for a short period of time (Google Authenticator, Authy, etc.)
  • manual entry required upon every login
  • requires no hardware device
  • does not protect the mobile device login because app on mobile device generates second factor

Authenticator app: HOTP

  • an app generates codes that are valid forever (Google Authenticator, Authy, etc.)
  • codes need to be stored securely
  • manual entry required upon every login
  • requires no hardware device
  • does not protect the mobile device login because app on mobile device generates second factor

SMS code (not supported because not secure enough)

  • code is sent via SMS
  • manual entry required upon every login
  • least secure as SMS can be easily intercepted
  • requires no hardware device
  • does not protect the mobile device login because SMS on mobile device contains second factor

U2F already in use in-house

The authentication system of our secure Tutanota beta client now supports the FIDO Universal 2nd Factor (U2F) standard - the most secure form of 2FA recommended by cryptography professionals and the security community worldwide.

U2F is built to protect against phishing and man-in-the-middle attacks, allowing one U2F device to access any number of services without any shared secrets. In order to take advantage of the security improvements provided by U2F, you will need to buy a hardware key. Any key supporting the U2F standard should work with Tutanota.

At Tutanota we protect our encrypted mail accounts now with a U2F compatible Nitrokey or YubiKey. Right now we are in the final stages of testing our new authentication process as well as many more features in our brand-new beta client. We are excited that we will be able to release our new client as public beta to all our users in September.

If you are already a private beta tester and would like to add 2FA to your mail account, please find details here.

If you have missed the private beta invite that we have sent via our social media channels, simply follow us on Twitter, Facebook, Instagram, Google+ and Reddit. Next time we send out invites, you will be able to take part in this exciting development stage.

Session handling: Extra security added to the private beta client

With this release we have also added session handling. You can now check in Settings of your secure mailbox what devices (e.g. computer, phone) are running an active session of Tutanota. With this new feature you can close a session remotely. If, for instance, you lose your mobile phone and you are logged into your Tutanota mailbox with our apps, you can then login on any computer and close the session on your phone remotely. This way no one will be able to see your mailbox, even if they manage to unlock your phone.

Let’s reclaim our privacy together

Tutanota is a project to reclaim our right to privacy online. A project to protect our private communication from mass surveillance and illegal wiretapping. The support of our constantly growing user base is incredible and enables us to develop the most secure email service.

We are an independent and small team that fights for privacy and freedom. Tutanota is a big job because we are building the Internet of the future - where everything is encrypted by default.