Manage cookies that are used for advertising, such as ad personalization, remarketing, and ad effectiveness analysis.
4.4.2. Two-step authentication for mail
Attention!
For corporate mail only.Two-step authentication allows you to increase the security level when accessing your mailbox via WebMail.Online.
When using two-step authentication
flowchart LR
user([👤 User])
wo(📧 WebMail.Online)
wc(✉️ WebMail classic)
mc(📱 Third-party
mail clients) scr(#️⃣ Scripts) lp[/Login + main password/] ga[🔢 GAuth code] wa[🔑 WebAuthn passkey] cp[Log in without login and password
via control panel] ap[/Login + app password/] mb([📬 Mailbox]) user-->wo wo-->lp lp-->ga & wa wo-->|When passwordless login is enabled|wa ga & wa-->mb wo-.-xcp cp-.-xmb user-->wc wc-.-xcp wc-->ap ap--->mb user-->mc mc-->ap scr-->ap
mail clients) scr(#️⃣ Scripts) lp[/Login + main password/] ga[🔢 GAuth code] wa[🔑 WebAuthn passkey] cp[Log in without login and password
via control panel] ap[/Login + app password/] mb([📬 Mailbox]) user-->wo wo-->lp lp-->ga & wa wo-->|When passwordless login is enabled|wa ga & wa-->mb wo-.-xcp cp-.-xmb user-->wc wc-.-xcp wc-->ap ap--->mb user-->mc mc-->ap scr-->ap
- In the "Mailboxes" section, you cannot log in to WebMail.Online and WebMail classic without a password — a dash is displayed instead of the login button.
- Log in to WebMail.Online — only with main password and a two-step authentication code or passkey.
- Log in to WebMail classic — only with app password (if enabled).
- Connecting to the mailbox using scripts and other mail clients — only with app password (if enabled).
Configure
GAuth
Important points:
- For two-step authentication via an authenticator app to work correctly, the time on the mobile device with the app must exactly match the current server time. If it does not match, you need to go to "More → Settings → Time correction for codes" in the app and click "Synchronize".
- Enabling two-step authentication resets all active sessions with main password.
- Log in to the mailbox using WebMail.Online.
- Open the "Settings → Security" section.
- In the "GAuth" block, click "Enable".
- Install an authenticator app on your mobile device:
- In the app, scan the QR code or enter the secret key below it manually.
- Enter the two-step authentication code that will be generated by the app and click "Confirm".
WebAuthn
Important points:
- WebAuthn can be used for both two-step authentication and passwordless login.
- Some devices may not support WebAuthn, such as devices with outdated operating system versions, certain models of Xiaomi smartphones, OnePlus, etc.
- For each mailbox, only one passkey can be stored on one device (or in one storage).
- In Windows, a PIN code (only a password is not sufficient) must be configured to locally store the passkeys for the account on the device, and a fingerprint scanner or facial recognition can also be used if the appropriate hardware is available.
- On Android, passkeys are stored in Google Password Manager and synchronized between devices. You can view, edit, or delete a list of stored passkeys in the password manager: on Android — "Settings → Google → Autofill → Google Autofill → Passwords", in a browser — "Google Account → Security → Saved passwords → Password manager".
- On iPhone, passkeys are stored in iCloud Keychain and synchronized between devices. You can view, edit, or delete a list of stored passkeys in "Settings → Passwords".
- Android and iPhone devices can be used as intermediaries — store and read passkeys from connected USB or NFC hardware dongles.
- In the Bitwarden password manager, saving and using passkeys is possible only via browser extension.
- Log in to the mailbox using WebMail.Online.
- Open the "Settings → Security" section.
- In the "WebAuthn" block, click "Configure".
- Enter an arbitrary name of the device where you want to store the passkey and click "Add". ⚠️ The device name is specified only when adding and cannot be changed afterwards. The only way to change it is to delete the device and set it up again.
- Register a new passkey:PIN code (must be pre-configured in the system):
- In the "Making sure it's you" window, select "PIN" (or "This is a Windows device → PIN").
- Enter the PIN code set in the system and press Enter
- If successful, the "Passkey saved" window will appear.
Security key (a hardware USB key, such as YubiKey):
- In the "Make sure it's you" window, select "Use another device → Security key".
- In the "Security key setup" window, click "OK".
- In the "Continue setup" window, click "OK".
- Insert the hardware key and press the button on it.
- If successful, the "Passkey saved" window will appear.
iPhone, iPad, or Android device:
- In the "Making sure it's you" window, select "Use another device → iPhone, iPad or Android device".
- Scan the QR code with your device.
- Your device will display a suggestion to remember it so you don't have to scan the QR code every time — choose the option you want.
- Once the device is connected, it will display information about which site and account the passkey will be saved for — click "Continue".
- Use the screen lock on the device to confirm that the key has been saved.
- If successful, the "Passkey saved" window will appear.
- The device will display information about which site and account the passkey will be saved for — press "Continue".
- Use the screen lock on the device to confirm that the key has been saved.
- If successful, the "Passkey saved" window will appear.
- In the extension window "Select the login for which the passkey will be saved", select the entry for which you want to save the passkey and click "Save passkey" (or create a new entry if there is no match in the repository).
- If a passkey already exists for the selected entry, confirm overwriting it (make sure you do not overwrite the desired passkey).
- (Optional) If you want to log in by passkey without entering a password, in the "WebAuthn" block, click "Configure" and in the row with the desired device, enable the "Log in without password" option.
Disable
Two-step authentication can be disabled by the mailbox user via the WebMail.Online interface (if access is available) or reset by the mail domain administrator via the control panel.
WebMail.Online
- Log in to the mailbox using WebMail.Online.
- Open the "Settings → Security" section.
- Disable two-step authentication:
- For GAuth — in the "GAuth" block, click "Disable" and confirm the operation with the button in the window.
- For WebAuthn — In the "WebAuthn" block, click "Configure" and remove the devices from the list.
Control panel
A mail domain administrator can reset two-step authentication using the button in the "Mailboxes" section (displayed only for mailboxes with two-step authentication enabled). When resetting for a mailbox, all configured two-step authentication methods are disabled and an message is sent to this mailbox that two-step authentication has been reset by the mail domain administrator.
(1)