Security

Two-step verification (TOTP)

Two-step verification adds a second layer of protection to your account. After entering your password, you must enter a 6-digit code from an authenticator app — so even if someone knows your password, they cannot sign in without your phone.

Setting up two-step verification

1. Go to Settings → Password & Security
2. Under Two-step verification, click Set up authenticator app
3. Open your authenticator app (Google Authenticator, Authy, Microsoft Authenticator, etc.)
4. Scan the QR code shown on screen
5. Enter the 6-digit code from your app to confirm setup

Signing in with two-step verification

1. Enter your email address and password as normal
2. When prompted, open your authenticator app
3. Enter the current 6-digit code (codes refresh every 30 seconds)

Disabling two-step verification

1. Go to Settings → Password & Security → Two-step verification
2. Click Disable
3. Enter the current code from your authenticator app to confirm

PGP encryption

Tobava Mail supports PGP (Pretty Good Privacy) end-to-end encryption. When both sender and recipient have PGP enabled, message content is encrypted so only the intended recipient can read it — not even Tobava Mail servers can access the content.

Enabling PGP

1. Go to Settings → Privacy & Encryption → PGP Keys
2. Click Generate PGP keys — a public/private key pair is created
3. Your public key is automatically shared with other Tobava Mail users
4. When composing an email to a recipient who also has PGP, the message is encrypted automatically

Importing an existing PGP key

If you already have a PGP key pair from another mail client, you can import it:

1. Go to Settings → Privacy & Encryption → PGP Keys
2. Click Import key
3. Paste or upload your ASCII-armored public key

Strong passwords

A strong password is your first line of defence. Tobava Mail recommends:

• At least 12 characters
• A mix of uppercase, lowercase, numbers, and symbols
• Not reusing passwords from other services
• Using a password manager (Bitwarden, 1Password, etc.) to generate and store unique passwords

The compose window shows a password strength indicator as you type your password when creating an account or changing it.

Account recovery

Set up a recovery email to regain access if you forget your password or lose your authenticator app.

1. Go to Settings → Password & Security → Recovery email
2. Enter a recovery email address (ideally at a different provider)
3. Click Save

Resetting your password

If you've forgotten your password:

1. On the login page, click Forgot password?
2. Enter your Tobava Mail address
3. If you have two-step verification enabled, you'll be asked to verify with your authenticator app
4. Otherwise, a reset token is generated — use it to set a new password

Active sessions

You can review and revoke active sessions from Settings → Password & Security → Active sessions. This shows:

• The device and browser used to sign in
• Approximate location (based on IP address)
• When the session was last active

If you see a session you don't recognise, click Sign out on that session immediately and change your password.

Phishing awareness

Phishing emails impersonate trusted senders to trick you into clicking malicious links or revealing your password. Signs of phishing:

• Urgent requests ("Your account will be closed in 24 hours")
• The sender email domain doesn't match the company (e.g. [email protected])
• Links that don't go where they claim to go (hover to check)
• Unexpected attachments, especially .exe or .zip files

Tobava Mail will never ask for your password via email. If you receive a suspicious email, click ⋯ → Report phishing to alert our security team.