With this release you can now store your login credentials in the Tutanota app and secure your login credentials with the OS's system keychain. This will enable you to unlock your Tutanota app with a pin, pattern or biometrics such as fingerprint, face ID etc.
To opt-in to this new feature, please store your login credentials in the Tutanota app. Then go to Settings -> Login -> Credentials encryption mode.
As always when we talk about passwords: Please make sure to write down your password and recovery code somewhere safe to make sure you never lose access to your Tutanota account!
When designing this new feature, we have focused on security to make sure that your login credentials are stored in the most secure way possible. As Tutanota is the most secure email service we have to make sure to keep this promise at all ends.
We are using inbuilt security mechanisms to encrypt the login token which is sent by the server to authenticate you.
Once pin / biometrics unlock is activated, this ensures that no-one can access your account. Not even if they find your phone unlocked, because they would still have to provide a pin, pattern or biometrics (such as fingerprint, face ID) to authenticate before they would be able to access your secure Tutanota mailbox.
Inbuilt security allows us to take advantage of hardware security modules in your devices, such as secure-enclave in iPhones.
We haven't developed our own pin based encryption system for credentials because it would provide no huge benefit over using the OS's security APIs. This means that for unlocking the Tutanota app, you need to use the same method that your are using to unlock your phone as such (pin, pattern, fingerprint, face ID, etc.).
Adding fingerprint / pin unlock to the apps is also a precondition for our planned offline mode release. In particular it improves security with offline mode since we are adding an additional layer of encryption for credentials. Of course, your password has always been stored encrypted on the device and you were (and still are) able to remove an active login via sessions handling in Settings.
We support three security levels for different preferences. The highest security level (biometrics only) on Android 11 and 12 makes sure that no one can extract the key even when the device is on and unlocked because the decryption is done in the hardware and protected with biometric data. This means that only you can - with the correct biometric data - decrypt your password.
Now that you are able to securely store your login credentials in the app, we need to remind you that it is very important that you keep your password and your recovery code in a secure place in case you ever lose your phone or forget your password. Here you will find more details on Tutanota's highly secure password reset feature.
To maximize your login security, we recommend turning on two-factor authentication. Two-factor authentication means that someone trying to login to your account will need your password as well as access to the second factor, which can be an authenticator app, or a physical key.
The most secure option here is a physical key (U2F) such as a YubiKey or Nitrokey.
Recommended for further reading: Email Security Guide: 3 easy steps to keep your emails safe from hackers..