Using FIDO Keys with Mailbox.org : HOTP Method
Mailbox.org is a secure, privacy-focused email service provider based in Germany, renowned for its strong commitment to data security. Designed to meet the needs of both individuals and organizations, Mailbox.org offers a full suite of productivity tools, including email, calendar, contacts, tasks, and cloud storage, while adhering to strict European data protection regulations (such as GDPR). While the platform supports two-factor authentication (2FA) through various methods, native support for the FIDO protocol is still under development. In the meantime, users can protect their accounts using other 2FA methods, such as HOTP (HMAC-based One-Time Password) and TOTP (Time-based One-Time Password), the latter requiring an additional app.
HOTP with FIDO Keys on Mailbox.org
Mailbox.org allows you to enable HOTP for added security, which can be conveniently used with our FIDO keys. Many of FIDO keys, operate in HID emulation mode, meaning you can generate and input HOTP codes without the need for an additional app. All you need to do is plug the key into your device and press the sensor to generate a one-time password (OTP) for your login. Kindly note that our biometric keys currently do not support HOTP over HID functionality.
Step-by-Step Guide to Setting Up HOTP with FIDO Keys on Mailbox.org
- Login to Your Mailbox.org Account
Access your mailbox.org account by visiting mailbox.org.
- Navigate to Security Settings
Once logged in, go to your account settings.
Select "One Time Passwords" option from the Settings list - Enable One Time Passwords setting
First, set a PIN. The way Mailbox.org implemented OTP-based 2FA, is that you use a different string as your first factor (not the password). When logging in, you will have to enter this PIN and then append the OTP to complete the authentication.
After that, select the OTP Security level from the list of available options (the options are self-explanatory and quite limited as you can see).
Finally, select the OTP Method as "OTP Generators..." as shown on the example below. - Generate and write the HOTP seed
On the same dialog, when you choose "OTP Generators" option, the system will give you many different methods of OTP generators. Choose HOTP Token as shown below:
Keep the default settings (OTP digits as 6 and Hash algorithm as sha1) and click on 'enroll hmac token'.
This will generate the HOTP seeds in 3 different formats: a QR code, an URI and a Hex seed.For our purposes (using the otp-cli.exe tool or its Python version), you'll need the "secret" value from the URL. Copy that string and use the otp-cli.exe tool to write it to your FIDO Security key. The syntax is as follows:
otp-cli.exe set_btn_seed --code-length 6 --seed MARLFAA7MQU4QDWP4PNJGSKA3CXICOX5 --short-touch
--short-touch is optional. It removes the delay before OTP generation after pressing the button. This option may complicate login processes if you use the same device for FIDO authentication.
- Verify Your HOTP seed
After this, you'll need to verify your key generates correct OTPs. Go back to the OTP settings form and place your cursor in the OTP password test field:
Then, simply press the sensor/button to generate a new OTP and click on "Perform OTP password test".
A message similar to "OTP password test successful" should appear. In such a case, click on "Save" to complete the process.
Logging in with HOTP FIDO Key
- Enter Your Username and PIN
On the login screen, input your mailbox.org username . Instead of the usual password, enter the PIN you defined in the OTP settings window.
- Generate OTP with FIDO Key
Then, insert your FIDO key into the USB port. Press the sensor to generate the HOTP code. The key will enter the OTP directly into the login field after the PIN.
- Access Your Account
After entering the correct OTP, you'll be granted access to your mailbox.org account.
Notes
- TOTP Support: If you prefer using TOTP (Time-based One-Time Password), mailbox.org also supports it. However, you will need to have the otp-cli.exe available on every system you log in with. This option may be less convenient than HOTP since it requires managing an extra app.
- Security: While HOTP is secure and convenient, we recommend keeping an eye on mailbox.org’s updates, as native FIDO protocol support will provide an even higher level of security once implemented.
Conclusion
With the HOTP method and your FIDO key, securing your mailbox.org account is easier and more secure than ever. By following the steps outlined above, you can ensure that your account is protected using the latest security technologies, without the hassle of additional apps or complex processes.
Subscribe to our mailing list
Want to keep up-to-date with the latest Token2 news, projects and events? Join our mailing list!