Can I enable two-factor authentication (2FA or MFA) for webmail?

Our webmail pages support two-factor authentication (aka “2FA”, “multi-factor authentication” or “MFA”).

(This is separate from two-factor authentication for our “My Account” control panel.)

If you enable two-factor authentication in webmail for an email address, anyone logging in will need to provide both the email password and an authentication code from their phone or other device. This helps keep your account secure even if someone steals your password — they can’t use webmail unless they also have access to the code.

On this page:

Limitations

One thing to keep in mind is that enabling two-factor authentication for webmail only affects webmail. It doesn’t affect POP3 or IMAP connections from mail programs like Outlook, because those protocols don’t support two-factor authentication.

Using two-factor authentication can still make your email more secure, though, because it blocks some types of attacks, including common automated attacks. Some “cyber insurance” companies require that you use two-factor authentication for webmail, even if you don’t use it for POP3 or IMAP connections.

Ultimately, though, a determined attacker with your email password could probably figure out how to use the password with another protocol when they’re blocked from webmail. Because of that, you should still use strong, unique passwords for your email address, even if you also use two-factor authentication.

We should also mention that two-factor authentication only works in our current webmail system, and not in the obsolete older system. If you enable it in the current system, you won’t be able to login to the older system at all: it will simply redirect you to the newer system.

Getting an app

To set up two-factor authentication, you’ll need to use an app on your phone or device that can generate the codes, which change every 30 seconds. You can use almost any time-based (“TOTP”) authenticator app, including these free apps:

Most other “authenticator” apps work, too, including the built-in macOS and iOS password manager in iOS 15 or later and macOS 12 or later.

Setting up two-factor authentication for webmail

To set up two-factor authentication, make sure you’re using an app that supports it, then:

  1. Login to the webmail pages using a desktop computer
  2. Click Settings in the top-right
  3. Click Two Factor Verification in the left column
  4. Click Enable, then enter your email password
  5. Click Set up

This page will walk you through the setup process. You’ll see a special “QR code” on the screen that you can scan using your authenticator app. It will also verify that your device is showing the correct time-based codes.

After setting it up, you’ll be prompted to enter the code from your device each time you login using webmail.

What if I lose my device and can’t access the codes?

If this happens, the administrator of the overall account with us will need to contact us and ask us to remove two-factor authentication for the email address. We’ll verify the identity of the administrator and reset it for you.

Disabling two-factor authentication

If you’ve previously enabled two-factor authentication for your account, and you want to disable it:

  1. Login to the webmail pages using a desktop computer
  2. Click Settings in the top-right
  3. Click Two Factor Verification in the left column
  4. Click Configure
  5. Click Turn off

Can you send me the authentication code by SMS text message?

We don’t support two-factor authentication using SMS text messages because it’s not secure. You do have to use an app.