When it comes to sensitive and private data, password protection is an important protection but it’s not enough. Emails often contain important information and communications that you need to keep private. Activating two-factor authentication on your webmail accounts can help you improve the protection of that important, private communication, letting you rest a bit easier at night.
Here’s how you can activate this important security feature on your Gandi webmail account.
Before you start …
First, you’ll need to make sure you’ve downloaded an authenticator app. This is an app—usually installed on your smartphone—that stores the “key” and uses it to generate the timed code used for 2FA.
One of the most common of these is Google Authenticator. If you have a Yubikey, you can also use Yubico Authenticator.
Step one: Set up two-factor authentication in your webmail
Gandi offers two webmail services: Roundcube and SOGo. Two-factor authentication is available on both, so you can set it up on one or both.
If you set it up on both accounts, you will have different “keys” for each. You won’t be able to log in to your Roundcube webmail using the timed code generated for your SOGo account or vice versa.
Setting up two-factor authentication in SOGo
Log in to your SOGo account using the email address you want to set up two-factor authentication on and password.
Once you’ve logged in, click on the gear icon next to your email address in the upper left to access the settings menu.
Then check the box that says “Enable two-factor authentication using Google Authenticator” (N.B. While Google Authenticator is a recommended option, you are not obligated to use it for this service).
Once you’ve check this box, you’ll see a QR code appear on the screen. Open your authenticator app and use it to scan the QR code.
When the authenticator app captures it, it will show a six-digit code that resets every 30 seconds that’s labeled “SOGo (firstname.lastname@example.org).”
Click the floppy disk icon in the upper right corner of the page to save your account settings.
Setting up two-factor authentication in Roundcube
To set up two-factor authentication on Roundcube, start by logging in to your Roundcube account with the email address you want to secure and the corresponding password.
Once you’ve logged in, click “Settings” in the upper right corner of the screen.
Then, on the next page, click “2-factor authentication” on the left side of the screen.
In order to set up 2-factor authentication, you’ll need to click “Fill all fields (make sure you click save to store all your settings)“.
Once you do, a QR code will appear on the screen, which you should then scan with your authenticator app.
When the authenticator app captures it, it will show a six-digit code that resets every 30 seconds.
Enter the code into the “Check code” box and if the code is okay, click “Save.”
Step two: Log in to the Gandi Webmail Settings page
The Gandi Webmail Settings page is a new page to help you secure your webmail accounts. To properly set up two-factor authentication on your Gandi webmail accounts, you’ll need to make sure to set up account recovery.
This page gives you information and settings related to the security of your webmail accounts. Log in to the Gandi Webmail Settings page using your email address and password and the two-factor authentication you just set up.
Step three: Set up your account recovery on the Gandi Webmail Settings page
Once two-factor authentication is set up on your email account, you’ll have to use your authenticator app to log in to your email account. If you lose access to your authenticator app, for example if you lose your phone, you won’t be able to log in to your webmail account except through an email sent to a specific email address that you specify beforehand or by entering recovery codes you can download.
You can find the account recovery options on the Gandi Webmail Settings page.
Go back to the Gandi Webmail Settings page with the email address you’re securing and scroll down to “Account recovery methods.”
There are two recovery methods. You can set up a recovery email or download recovery codes. You can also use both.
Setting up a recovery email address
To set up a recovery email address, just add your email address in the corresponding box and click “Save.”
You should be sure to use an email address you’ll be sure to have access to in case you lose the device with your authenticator app on it. So for example if your authenticator app is on your phone, make sure you use an email address you’ll have access to even if you lose or break your phone.
When you save your recovery address, our system will send you an email with a link to confirm. Click this link to complete setting up your recovery email address.
With a recovery email address set up, if you lose your two-factor authentication device (your phone, for example), you’ll be able to gain access to your webmail account via an email sent to your recovery email address.
Record your recovery codes
Another way to regain access to your webmail account in case you lose access to your authenticator app is by entering recovery codes.
Generate your codes by clicking “Generate recovery codes.” You shouldn’t store these codes just anywhere, though. Be sure you keep them in a secure location, like in a password manager.
To generate your codes click “Generate recovery codes.”
You should be sure to store your codes carefully. You don’t want anyone with access to your computer to be able to see them.
On the other hand, they’ll need to be accessible in case you need them. A password manager is a good option for storing these codes. You could also save them in a password-protected file.
Step four: Configure email access settings for your account
The last step is to configure the email access settings for your email account. The first part of this is deciding whether to disable POP, IMAP, and SMTP access to your account. Next, if you only set up two-factor authentication on one of the two webmail options, you should disable the other.
Disable POP, IMAP, and SMTP access for maximum security
POP and IMAP are protocols for reading emails off of a server. When you use an email client like Apple Mail, Thunderbird, or Outlook to access your email account as opposed to using webmail, these apps use POP or IMAP to read and download email from your account.
SMTP is the protocol they use to send emails.
Unfortunately, it’s simply not within the parameters of these protocols to support two-factor authentication, so it will not be possible to activate two-factor authentication for POP, IMAP, or SMTP.
That means that even if you secure your webmail account with two-factor authentication, so long as POP, IMAP, and SMTP are active on your email account, anyone with your username and password will be able to read and send emails on your account without having to enter the two-factor authentication code.
If you really want to make sure your email account is safe, then, you should deactivate these protocols.
On the other hand, you won’t be able to use your email account with any mail app if you don’t have these protocols activated.
It’s up to your to balance the pros and cons based on your own situation.
Disable unused webmail access
If you use only SOGo or Roundcube to access your email account from a browser, and you set up two-factor authentication on your preferred webmail account, you should deactivate the one you don’t use.
Otherwise, if you have two-factor enabled on one but not the other, the added security of activating two-factor authentication will be lost.
Step five: Use the ‘security checkup’ to strengthen your account’s security
Lastly, at the top of the Gandi Webmail Settings page, you’ll see a section labelled “Security Checkup.” This gives you a score on how secure your account is based on three criteria:
- How strong your password is
- Whether two-factor authentication is activated
- Whether POP, IMAP, and SMTP are disabled
This score helps you see at a glance how secure your email account is and how you can improve your email account’s security.
And the Gandi Webmail Settings page has all the tools you need to improve your account’s security. From this page, you can add a recovery email, download recovery codes, activate or deactivate POP, IMAP, and SMTP, and set a new password for your account.