← Help

Why we ask for three sign-in factors

A passkey, an authenticator app, and ten one-time recovery codes. Setting them up takes about a minute, once, right after signup. There's no "skip for now" — and here's why it's worth that minute.

The short version

Your inboxy mailbox is the front door to every account you front with an alias. Password resets, login codes, verification emails — they all land here. If someone took over your inboxy, they could pivot into everything behind it.

We don't run a "reset by email" button. There's no email to reset to. The only real defence is to make the front door hard to kick in — and that's what these three factors do, together. A small one-off cost up front, peace of mind forever after.

What each factor does

Passkey (WebAuthn)

A device-bound credential — Touch ID, Face ID, Windows Hello, a hardware key like a YubiKey, or your phone's secure enclave. The signing key never leaves the device. Used as the primary sign-in path and as a step-up factor for sensitive actions.

Authenticator app (TOTP)

A 6-digit time-based code from any RFC 6238 authenticator: 1Password, Bitwarden, Aegis, Authy, Google Authenticator, etc. Used as a fallback sign-in factor when your passkey isn't available (lost phone, new laptop) and as an alternative step-up factor.

Recovery codes

Ten single-use codes generated at signup. Used when both your passkey and TOTP are unreachable — typically because you've replaced the device that held them. See Account recovery for the full story.

How sign-in actually works

  1. Go to /login, click Sign in with passkey, approve the prompt. Done — you're in.
  2. If you can't use the passkey (different device, lost device), email a sign-in link from the same page. The link drops you onto a step-up page where you complete the second factor (TOTP or passkey or recovery code) to finish the session.

Sign-in links alone aren't enough. The link proves you control the email; the second factor proves it's still you.

Step-up: re-verification for sensitive actions

Already signed in? We still re-prompt for a second factor before:

  • Minting or retiring an API key
  • Retiring an @inboxy.net address
  • Deleting your account
  • Removing a passkey, removing TOTP, or regenerating recovery codes
  • Approving an OAuth consent for an MCP client

The prompt has a 5-minute freshness window. If you've completed a step-up in the last 5 minutes, subsequent sensitive actions don't re-prompt — bulk-retire ten addresses without ten challenges. After 5 minutes the next sensitive action prompts again.

This is independent of session lifetime. A 30-day session that lets you read your inbox doesn't let you delete your account without proving you're still at the keyboard.

Where to manage them

Account → Security (/account/security):

  • Add or remove passkeys (multiple supported — register every device you use)
  • Re-enrol TOTP (rotates the shared secret)
  • Regenerate recovery codes (invalidates the old set)

Every change here requires a fresh step-up.

Common questions

Can I use just a passkey? No. Lose the device, lose the account. The TOTP fallback exists to keep that recoverable.

Can I use just TOTP? No. TOTP alone is phishable; the passkey provides phish-resistant primary auth.

Can I register multiple passkeys? Yes — and we recommend it. Register the phone and the laptop. Each is a separate credential; losing one doesn't lose the account.

What if I lose everything? See Account recovery → Lost everything. There's no support backdoor — that's the security model, not an oversight.

Does this slow me down day-to-day? Reading mail, listing addresses, configuring settings — no step-up. The friction is only on actions that can damage you if an attacker hijacks an open session.


Still need help? support@inboxy.net

Add Inboxy to your Home Screen

  1. Tap the Share button in Safari’s toolbar.
  2. Scroll and tap Add to Home Screen.
  3. Tap Add in the top-right corner.