Mailbox.org is a German email service that puts a strong focus on privacy and security. Among the features are full inbox encryption as well as minimal logging and retention of logs.
The service is not free but starts at €1 per month for 3 email aliases and 2 Gigabyte of online storage. A side-effect of this is that advertisement is not used by the service.
Mailbox.org introduced a set of new features recently. The first adds support for one-time passwords to the service. These passwords work only once before they are no longer valid. While you can always sign in with your main password, using a one-time password may make sense in certain situations, for instance when you are using a public computer or connect to a public network.
One-time passwords work in conjunction with YubiKeys which we have reviewed back in 2010 for the first time. So, whenever you want to sign in to your Mailbox account you connect the USB device to the computer to do so.
This however is only part of it. Mailbox.org has added a four-digit Pin to the process as well which you need to enter to complete the process. The idea here is that protection would be relatively weak if only the username and the one-time password of the Yubikey would be required. The pin adds another layer of protection to the process to improve security.
With the new feature enabled, you have three login options:
The system can only be used with Yubikeys ordered from Mailbox.org currently. The company stated in a blog post that it is working on a solution to add support for third-party Yubikeys as well.
The second change adds support for custom domains to the service. What is meant by that is that you can use Mailbox.org to create email addresses using domains that you own.
You do need to redirect the mail Namserver entries to Mailbox.org before you can do so though which means that you need to use the service for all email addresses of that domain.
Another restriction is that all email aliases from that domain will become available under the same Mailbox.org account. If that is not an issue, do the following to set it up:
Both changes make sense and improve the usability and security of the service, at least for some users. It is worth nothing that both features require improvements in the future to improve their appear. The Yubikey implementation for instance requires support for third-party Yubikeys while the custom domain feature should support multi-user email addresses for custom domains.
If you like our content, and would like to help, please consider making a contribution: