About two-factor authentication

inboxy requires three pieces of authentication material before your account is usable: a passkey, an authenticator app (TOTP), and a set of single-use recovery codes. You set them up once, right after signup, in about a minute.

This is non-negotiable. There's no "skip for now" link and no opt-out for paid accounts.

Why mandatory, not optional

Your inboxy mailbox is, by design, a high-value target. It receives password-reset emails, login links, and one-time codes for every third-party service you front with an @inboxy.net alias. An attacker who takes over your inboxy account can pivot into all of them.

We don't run a "reset by email" path — there's no email to reset to. The only practical defence is to make initial account takeover hard, and we'd rather force the small one-time setup cost than let people leave themselves exposed.

What each factor does

Passkey (WebAuthn)

A device-bound credential — Touch ID, Face ID, Windows Hello, a hardware key like a YubiKey, or your phone's secure enclave. The signing key never leaves the device. Used as the primary sign-in path and as a step-up factor for sensitive actions.

Authenticator app (TOTP)

A 6-digit time-based code from any RFC 6238 authenticator: 1Password, Bitwarden, Aegis, Authy, Google Authenticator, etc. Used as a fallback sign-in factor when your passkey isn't available (lost phone, new laptop) and as an alternative step-up factor.

Recovery codes

Ten single-use codes generated at signup. Used when both your passkey and TOTP are unreachable — typically because you've replaced the device that held them. See Account recovery for the full story.

How sign-in actually works

1. Go to /login, click Sign in with passkey, approve the prompt. Done — you're in.
2. If you can't use the passkey (different device, lost device), email a sign-in link from the same page. The link drops you onto a step-up page where you complete the second factor (TOTP or passkey or recovery code) to finish the session.

Sign-in links alone aren't enough. The link proves you control the email; the second factor proves it's still you.

Step-up: re-verification for sensitive actions

Already signed in? We still re-prompt for a second factor before:

• Minting or retiring an API key
• Retiring an @inboxy.net address
• Deleting your account
• Removing a passkey, removing TOTP, or regenerating recovery codes
• Approving an OAuth consent for an MCP client

The prompt has a 5-minute freshness window. If you've completed a step-up in the last 5 minutes, subsequent sensitive actions don't re-prompt — bulk-retire ten addresses without ten challenges. After 5 minutes the next sensitive action prompts again.

This is independent of session lifetime. A 30-day session that lets you read your inbox doesn't let you delete your account without proving you're still at the keyboard.

Where to manage them

Account → Security (/account/security):

• Add or remove passkeys (multiple supported — register every device you use)
• Re-enrol TOTP (rotates the shared secret)
• Regenerate recovery codes (invalidates the old set)

Every change here requires a fresh step-up.

Common questions

Can I use just a passkey? No. Lose the device, lose the account. The TOTP fallback exists to keep that recoverable.

Can I use just TOTP? No. TOTP alone is phishable; the passkey provides phish-resistant primary auth.

Can I register multiple passkeys? Yes — and we recommend it. Register the phone and the laptop. Each is a separate credential; losing one doesn't lose the account.

What if I lose everything? See Account recovery → Lost everything. There's no support backdoor — that's the security model, not an oversight.

Does this slow me down day-to-day? Reading mail, listing addresses, configuring settings — no step-up. The friction is only on actions that can damage you if an attacker hijacks an open session.