Spaceship Blog

Why 2FA should be your #1 email security habit

Why 2FA should be your #1 email security habit.

It was invented in the ‘90s (and is widely accredited to AT&T) but only came to prominence in the mid-2000s. Two-factor Authentication (or 2FA as it’s more commonly known) is such a simple premise it’s almost beautiful — combining something you know with something you have.

The problem and solution

The problem:

A username and password were all that stood between our data and unauthorized access. Our accounts are essentially an unmonitored door, ready to be breached 24/7 without our knowledge. This isn’t helped by the fact that usernames are almost always formulaic, and passwords can also be easy to guess because we all tend towards the same ideas.

For example, a single word would be difficult for another human to guess, but due to the limited number of words in the English language, it's surprisingly easy for a computer. This is why many sites ask us to strengthen our passwords with letters and special characters. But with increasingly sophisticated hacking software, and now the advent of AI, even this is not enough. Remember, that “door” to your account is discoverable in the ether 24/7.

The solution:

Validating that it’s really you logging in by using something that can only (logically) be in your possession. This could be a smartphone, email account, key, or even biometrics. Whichever method is used, 2FA ensures unauthorized login attempts can be blocked, and you can take action to mitigate against further breaches. 

Sure, it’s a glorified ID check — the equivalent of looking through the peephole before taking the front door off the latch — but the implementation is fairly ingenious when you think about it. The amount of security and awareness 2FA adds to an account elevates it beyond the sum of its parts. 

So, why did it take so long to catch on then? It was likely just a combination of a gradual increase in cybercrime over the years, the frequency of people with secondary devices, and the increased computing power at the disposal of cybercriminals that meant it had to wait for its time to shine. It’s also possible there were concerns about the secondary device becoming lost.

Where we’ve seen 2FA excel for years

Banking and financial apps have been utilizing it for a good few years now. But if you haven’t noticed it trickling down to your more ‘everyday’ accounts already, you probably will soon. The rollout is underway as hacking technology becomes more sophisticated, and data companies have an increasing burden of responsibility to protect our data.

Let’s take a look at 2FA in the context of email accounts, for example. Until now, you might have considered it a bit of a faff, or overly cautious to activate 2FA for your email accounts — but we’re going to persuade you why it’s so worthwhile, especially if you’re in business. 

Why add 2FA to secure your email account?

Why add 2FA to secure your email account.

Well, firstly, consider that a second layer of protection beyond your password is never really a bad thing. Now, stop and think about the kind of sensitive data your email account contains:

  • Banking information — the kind you’ve protected with 2FA elsewhere for years.
  • Personal attachments — photos, documents, or even creations you want the IP of.
  • Purchase history — and other data that could be valuable to advertisers.
  • Medical data — records of appointments, medication, or even conditions.
  • Real estate data — buying houses, and similar important processes, are often paperless.

And, as we mentioned, if you’re in business, this data almost certainly extends to that of your customers. Keeping this data safe is a legal obligation in countries with rules like GDPR. So securing email is already beginning to sound like a no-brainer, and we aren’t even finished yet!

Perhaps the most crucial reason to keep your email secure is that it’s a gateway to many of your other accounts. For years, it’s been a common way to reset passwords. All someone with access to your email has to do is read your messages to figure out what sites you have accounts for, and then go through the ‘forgotten password’ process on them. 

For almost all smaller sites, the registered email account is all that stands in the way of someone accessing your account. This could mean many of your accounts are compromised before you’re even aware your account has been hacked. 

Easily add 2FA to your account


The good news is, it’s really easy to add 2FA to most email accounts. Business or professional email accounts are particularly likely to offer the feature. The process of activation is usually easy, and very quick to set up, especially if you have an authenticator for other apps.

We’re going to look at Spacemail (by Spaceship as a good example), where 2FA can be activated in a few clicks.

  1. Login to your account
  2. Click the settings cog at the top right of the screen.
  3. Click ‘Launch security center’ in the second box.
  4. Click TWO FACTOR AUTHENTICATION on the tab.
  5. Choose from one of the two supported 2FA types.

Don’t forget to seal other points of entry

Adding 2FA to the main login is all very well, but there’s a good chance that you have another backdoor into your email account if you have it connected to an app (like Outlook or Gmail) on your phone. 

The protocols used to enable this feature include IMAP, SMTP, and POP3. If enabled, access to your account could be set up using an app, bypassing the 2FA you configured. To guarantee security, disable these protocols if possible.

In the case of Spacemail, an app is currently in production, slated for release later this year. This will allow you easy access to your mail on a device like a smartphone, without compromising security. 

Types of 2FA

Types of 2FA.

Speaking of “types of 2FA”, let’s take a closer look at what they are, and how they work in the context of Spacemail. Broadly speaking, there are three types of 2FA. All of which use a different thing for authentication.

“Something you know”

This includes things like additional PIN numbers or security questions. These are pieces of information that only you should know — but in many ways are not so different from a password. A more antiquated form of 2FA, it’s being gradually phased out in favor of the methods below. 

You may have heard several years ago when there was advice to choose a fake ‘mother’s maiden name’ or ‘first pet’ to avoid people guessing or researching your answer.

Due to its relative insecurity, this method is not supported by Spacemail.

“Something you are”

We touched on this briefly already. This type of 2FA relies on biometric data such as fingerprints, facial recognition, and voice recognition. This is useful where a secondary device may not be the best option, for example, in many cases, we’re using a smartphone which is itself the secondary device.

Biometrics allow for a secondary validation using the self. Although this requires additional sensors usually only found on recent and sophisticated devices.

“Something you have”

Something you have.

Most 2FA falls into this category, and that goes for both the options you’ll find on Spacemail. These require possession of a specific device or item. There are several ways to implement this method. 

TOTP (Time-Based One-Time Password)

A code generated by an authenticator app provides a secure login. You can use authenticator apps, or send one-time codes by SMS/email. In the case of Spaceship, TOTP is only allowed by an authenticator app because this is far more secure. 

U2F (Universal 2nd Factor)

U2F uses public-key cryptography, making it more secure and phishing-resistant. It doesn't require typing codes manually. You simply insert a hardware key (like a YubiKey) into your device. This has the added bonus that if someone steals your smartphone, an additional device (the key) is required to access 2FA-secured accounts.

Which method to choose

U2F is generally considered more secure because the devices are tamper-resistant, and the cryptographic process is bound to the specific website or app. This ensures that even if a user is tricked into visiting a fake site, the authentication will fail, as the fake site can't replicate the secure connection required. 

Of course, purchasing a U2F key has an implied cost, but this could be worth it when it comes to your security.

2FA as part of a balanced security diet…

Man cannot live by 2FA alone. It is not a substitute for good all-round security practices. Our email accounts are especially prone to phishing and malware attacks. The irony is, nobody has to get into your account to be a threat in this way. They simply send an email. 

That’s why accounts that offer other protections against email threats, particularly anti-spam filters, are also a wise investment. By stopping you from ever seeing emails that contain socially engineered traps, or malware, you will never even see the biggest risk to your safety.Activate 2FA on your account today, and if you find it doesn’t have it, consider switching to one that does.

Frequently asked questions

2FA is short for Two-factor authentication. The most common method of 2FA adds an extra layer of security to logins by combining something you know (your username and password) with something in your possession (most commonly a smartphone or key). This means you will be alerted if any unauthorized login is requested. 

2FA verifies your identity when you access your account. In doing so, it also alerts you if someone else is trying to get in. Email accounts are particularly good targets for cybercriminals, because they contain lots of sensitive data, and can also act as a gateway to other accounts via the standard ‘forgotten password’ process — which relies heavily on the registered email address.

Many accounts, especially those designed for business users, include it as standard. It’s usually fairly easy to set up by going into security settings. It’s usually faster to do so if you already have an authenticator app or key that you use.

Yes, there are several kinds of 2FA. The most common utilizes a device like a smartphone or a U2F key (a separate device). Biometrics also count as a second factor for authentication, and the more antiquated security questions (like “mother’s maiden name”) technically count as well, but are rarely used these days due to the ease with which they can be guessed.

  1. Login to your account
  2. Click the settings cog at the top right of the screen.
  3. Click ‘Launch security center’ in the second box.
  4. Click TWO FACTOR AUTHENTICATION on the tab.
  5. Choose from one of the two supported 2FA types.

Suggested articles

Share your thoughts

More than 10 characters required.
Your identity for public display.
Providing your email address is optional. It will not be shared with third parties.

Help us improve our blog

Share your thoughts in a quick two-minute survey.