Easy Mail Archive Easy Mail Archive
Get Started

Two-Factor Authentication

Overview

Easy Mail Archive enforces two-factor authentication (2FA) on every login to protect user accounts. The system supports two methods: TOTP (Time-based One-Time Password) apps and email verification codes.

How It Works

Login with Password

When a user logs in with their password, a second factor is always required:

  • If TOTP is set up: The user is prompted to enter a code from their authenticator app (e.g. Google Authenticator, Authy, 1Password).
  • If TOTP is not set up: A 6-digit verification code is sent to the user's email address. The user must enter this code to complete the login.

Login with Email Code

When a user logs in via email code (magic link), no additional second factor is required. The email code itself already proves access to the user's email account, which serves as the second factor.

Login with OIDC/SSO

When a user logs in via OIDC/SSO, no additional second factor is required. The identity provider is responsible for authentication security, including any MFA policies configured there.

TOTP Setup

Users can set up TOTP in their account settings:

  1. Go to Account Settings
  2. Click Enable Two-Factor Authentication
  3. Scan the QR code with an authenticator app
  4. Enter the 6-digit code from the app to confirm
  5. Save the recovery codes in a secure location

Recovery Codes

When enabling TOTP, the system generates recovery codes. These are single-use codes that can be used to log in if the authenticator app is unavailable. Each recovery code can only be used once. New recovery codes can be generated in the account settings (this invalidates all previous codes).

Admin Policy: Require TOTP

Tenant administrators can enforce TOTP setup for all users:

  1. Go to Admin > Security
  2. Enable Require TOTP

When this policy is active, users who have not set up TOTP are redirected to their account settings page after login and cannot access the archive until TOTP is configured. The email code fallback still works for login, but the user will be required to set up TOTP before they can use the application.

Summary

Login methodTOTP set upBehavior
PasswordYesTOTP code required
PasswordNoEmail verification code sent
Email codeYes or NoNo additional step (email = second factor)
OIDC/SSOYes or NoNo additional step (IdP handles security)

We use cookies to analyze site traffic and optimize your experience. No tracking occurs without your consent. Privacy Policy