How to Turn on 2FA for your Gandi Email Address¶
It is possible for you to secure any Gandi email address with 2FA (two factor authentication) when you use either of the webmail portals we provide.
You can check on the current security status of your email account, and manage your security settings, at Gandi Webmail Settings.
2FA can only be used through Gandi’s webmail portals. Email clients, such as Thunderbird or Outlook, are not supported. You are free to choose whether or not to disable access to local email clients like Thunderbird, but the only way to protect all access to your email with 2FA is by disabling these type of local mail clients.
Two factor authentication, or 2FA, refers to the security practice of requiring two different types of verification to prove your identity. When you activate 2FA on your Gandi email account you will provide both your regular password and an additional code generated from an app on your mobile device.
When you visit Gandi Webmail Settings you will see a level from 1-3 indicating the level of security on your email account. To achieve maximum protection you must complete three steps:
- Create a strong password for your email address. You most likely already did this when you created the email address. If the password is not sufficiently strong you can create a new password in the “”Password change” section near the bottom of Gandi Webmail Settings.
- Enable 2FA on both webmail portals. Links are provided on the page to access these portals. You can also enable 2fa on one portal and block the other portal in the “Email access” section near the bottom of the page.
- Disable access to POP, IMAP, or SMTP protocols. Taking this step will prevent you from using an email client such as Thunderbird or Outlook. However, since these protocols cannot be secured with 2FA, disabling these protocols is the only way to fully secure your email with 2FA.
You can find a more detailed explanation of how to complete these three steps in the following section.
Before you begin you should install a 2FA app, such as Google Authenticator, on the device you will use as your 2FA device. This device is most often a mobile phone.
Next, visit Gandi Webmail Settings. Login using the email address you will secure and the password you set for that email address when you created it. If you have forgotten the password you chose for your email you can reset it in your Gandi account.
You should then activate 2FA on one or both webmail clients. You can do this by clicking on “Go to webmail” under each Webmail’s logo. The following pages contain detailed instructions on activating 2FA on each webmail client. If you only plan to use one webmail client you can disable access to the other client in the “Email Access” section near the bottom of the Gandi Webmail Settings page.
Make sure that you add each webmail to your authentication app before you log out of the webmail. Since SOGo and Roundcube use different codes you must enter both webmails separately into your authentication app if you plan to use both systems.
A recovery email can be used to regain access to your email if you lose your 2FA device. You should use an email address you know you will have access to even if you have problems with your Gandi email address.
To add a recovery email address go to the “Recovery email address section”, enter the email you wish to use in the field, then click save.
Once you save the recovery email address we will send an email to confirm this address. You must click the link in this email before your recovery email will be active. If you do not click this link you will not be able to use this email address to recover access to your account.
Recovery codes are a second way you can gain access to your email if you lose your 2FA device.
The recovery codes you generate on Gandi Webmail Settings can only be used on the Gandi Webmail Settings page. They cannot be used to directly log in to either webmail client.
To generate your codes click “Generate recovery codes” then store the codes in a secure location such as a password manager. Be sure to store the codes in a location you will be able to access even if you lose your 2FA device.
If you want maximum security in place for your email you should disable POP, IMAP, and SMTP protocols. Since these protocols do not support 2FA, you can only fully secure your account by disabling these protocols. However, disabling these protocols will prevent you from using an email client such Outlook or Thunderbird. It is up to you to choose what level of security is appropriate for your email address.
To disable these protocols go to the Email Access section in Gandi Webmail Settings and toggle all three switches so they appear to be greyed out. Next, click Save settings in the bottom of the section.
Once you have completed these steps your email will be fully secured using 2FA.
If you have forgotten the password to your email you can reset it in your Gandi account.
If you have lost access to your 2FA device, then go to Gandi Webmail Settings. Login using your email address and password. Then, when prompted for the 2FA code instead click Unable to access your 2FA device?
If you have set up a recovery email you can choose to send an email to your recovery email address. You can then click on the link in the email to reset (disable) 2FA on SOGo and Roundcube.
If you generated recovery codes you can use one of the codes you saved. When you enter the code you will be logged into Gandi Webmail Settings and 2FA will be reset (disabled) on both SOGo and Roundcube.
No matter what method you use, it will be necessary to set up 2FA on SOGo and Roundcube again once you have regained access. Or, if you only plan to use one of the webmail clients you disable the other in the “Email Access” section on the Gandi Webmail Settings page.
If you have not set up a recovery method, or if you have any problems with the recovery process, you can contact our support team for further assistance.