Before reading this page, we strongly recommend you read the overview of our Account Security services.

At Runbox, ensuring that our customers understand how our services can work best for them is very important to us. This page contains some further notes that we hope will allow you to make the best use of Two-Factor Authentication and Application Passwords (App Passwords) for your particular situation.

Two-Factor Authentication (2FA)

Quick notes:

  • You need to generate a Timed One Time Password (TOTP) key, or a set of One Time Passwords (OTPs) before you can activate the 2FA service at the top of the page.
  • When you activate 2FA your usual account password will no longer work for IMAP, POP, SMTP, Cal/CardDAV or FTP services and you will need App Passwords for those.
  • If you want to use the same TOTP key on more than one device, make sure that you write it down or copy it somewhere before activating it as we don’t show you the key again for security reasons. We recommend you delete your copy of the key as soon as you can so that it can’t be compromised.
  • The 2FA service can be turned on and off without having to generate a new TOTP key or set of OTPs. This allows you to easily use 2FA when you need it, and turn it off when you don’t.

Application Specific Passwords (App Passwords)

Quick notes:

  • Unlike some non-Runbox services, App Passwords can with used with or without 2FA activated.
  • If you activate App Passwords your usual account password will not work for IMAP, POP, SMTP, Cal/CardDAV or FTP services.
  • Despite their name, App Passwords are not specific to an application/program and any password can be used with any of the services at any time. They get their name from the fact it was envisaged that you would use a different password for each app/program you use, but you do not need to use them this way. In fact, in many cases (for convenience) it makes more sense to use one password per device and use the same password on that device for all Runbox services.
  • Once generated, App Passwords can be turned on/off individually or collectively. You can also permanently delete a password.
  • Passwords are generated by us to ensure they are long and complex. We do not show you the password once it is saved to encourage you to use a different password in different places. However, as noted above you may use the same App Password in as many apps and devices you like, it just isn’t recommended that you do this.
  • You cannot log in to the webmail with your App Passwords.