Tutanota now supports 2FA with TOTP and U2F.

Two-factor authentication is a must for a secure email service to make sure that no one can take over your private email account. Tutanota now supports authentication apps and hardware tokens for 2FA to protect your encrypted mailbox.

We are happy to announce that TOTP has just been added as an option for two-factor authentication to the beta client of your secure email service Tutanota! This release comes shortly after the option of using two-factor authentication (2FA) with a security device (U2F). As our developers are heading for the public beta release of our brand-new client this month, we are noticeably speeding up our development.


TOTP allows users to use an authenticator app such as Google Authenticator or Authy for generating codes. In addition to your password, these codes are used as the second factor to login to your Tutanota account. With TOTP the codes are only valid for a short period of time so you can’t run into issues in case you lost the codes.

Please be aware that when using TOTP as a second factor, your login on a mobile device is not truly 2FA-protected if the authenticator app runs on the same mobile phone. The encrypted Tutanota beta client already supports U2F, which security professionals consider as the most secure method of two-factor authentication.

Add 2FA to keep your mail secure

While it is not a must, we strongly recommend that you add a second factor to your Tutanota account to protect your mails to the maximum. We already protect your mailbox with automatic end-to-end encryption. Once our brand-new beta client is published in a few weeks, you can add an extra layer of security to your login credentials to prevent your password from being stolen.

To make sure that you yourself do not lose access to your Tutanota account, we also recommend that you add two second factors to your encrypted mailbox. This makes sure that you are still able to login to your Tutanota account in case you lose your U2F device or access to the authenticator app.

Comparison of different options for two-factor authentication (2FA)

Security device: U2F (supported)

  • most secure option
  • private key is stored locally on U2F device
  • guarantees protection against man-in-the-middle attacks (MITM) and phishing
  • requires a hardware device (Yubico app will work as software token in the future)
  • only works in Chrome & Opera, upcoming support for Firefox & Edge
  • no manual entry required

Read also our guide on how to prevent email phishing.

Authenticator app: TOTP (supported)

  • an app generates codes that are only valid for a short period of time (Google Authenticator, Authy, etc.)
  • manual entry required upon every login
  • requires no hardware device
  • does not protect the mobile device login because app on mobile device generates second factor

Authenticator app: HOTP

  • an app generates codes that are valid forever (Google Authenticator, Authy, etc.)
  • codes need to be stored securely
  • manual entry required upon every login
  • requires no hardware device
  • does not protect the mobile device login because app on mobile device generates second factor

SMS code

  • code is sent via SMS
  • manual entry required upon every login
  • least secure as SMS can be easily intercepted
  • requires no hardware device
  • does not protect the mobile device login because SMS on mobile device contains second factor

Only two weeks ago, we have added two-factor authentication with a U2F device to the Tutanota beta client. Read more on this release here.

If you are already a private beta tester and would like to add 2FA to your mail account, please find details here.

If you have missed the private beta invite that we have sent via our social media channels, simply follow us on Twitter, Facebook, Instagram, Google+ and Reddit. Next time we send out invites, you will be able to take part in this exciting development stage.