Help Topics/Hushmail/New features & sneak peeks

Two-step verification

posted this on May 13, 2014, 13:19

What is two-step verification for Hushmail?

Two-step verification is a simple feature that asks for more than just your passphrase to sign in to your account from a device that we don’t recognize. It prevents unauthorized access to your Hushmail account by using a 2-stage process to authenticate your identity. The first step is to sign in using your username and passphrase and the second step is entering a verification code that we’ll send by text message to your mobile phone or to an alternate email address. You can also obtain a verification code using a smartphone app.

Why should I start using two-step verification?

Two-step verification is a new optional security feature for your Hushmail account that reduces the risk of a compromised passphrase being abused. It adds an extra layer of security that ensures an attacker will not be able to sign in from an unregistered device using your passphrase without also providing a verification code. 

How do I turn two-step verification on?

1. Sign in to your Hushmail account

2. Go to the Preferences page by clicking the link in the upper right corner:


 3. Select the Security tab:


4. To get started, click on the pencil icon to turn it on:


5. Follow the on-screen instructions. 

Two-step verification is enabled now. How does it work?

The first time you sign in to your account after turning two-step verification on, you will be asked to enter a verification code, which will be sent via your method of choice. Once you enter the code, the device will be registered. Be mindful of the device you use, as it will now be a trusted device and in the future you will only use your passphrase to sign in when using that device. Any time you sign in from a device that isn’t trusted, you will be prompted to enter a new verification code to register that device, so that we recognize it in the future. 

What if I don’t have my phone with me and I can’t access my alternate email address to receive the verification code? 

When you turn on two-step verification, you also receive a backup verification code. We recommend you write it down and keep it in a safe place. You can use this backup verification code to gain access to your Hushmail account in case you have no means of receiving your verification code through your mobile phone or your alternate email address.


If you haven’t written down your backup verification code yet, you can find it again by going to the Security tab within the Preferences page. We strongly recommend keep your backup code safe and accessible, because if you ever lose access to your passphrase, your trusted devices, access to your alternate email address and to your backup verification code, you will be locked out of your Hushmail account. 

Can I turn two-step verification off?

Yes. If you no longer want to use two-step verification, go back to the Security tab on the Preferences page and select the pencil icon in the Two-step verification field and select Off from the drop-down menu. Once you do this, your list of trusted devices will be deleted and if you ever turn two-step verification again, you will have to register your devices again.



User photo
Dan Shumaker

I already use 2 factor authentication for another set of apps (email, etc.) and find that the very minor inconvenience of entering the 2nd code reassuring. Kudos to Hushmail!

May 14, 2014, 11:17
User photo

if it becomes mandatory, I shall leave hushmail for good

May 17, 2014, 06:37
User photo
▼ The Tutor ▼

Nice to have extra security but was a tad suspicious when asked for another email address AND my mobile number. Maybe I'm paranoid!

May 18, 2014, 00:29
User photo
I see no real need for this, and as far as I'm concerned I don't need it. I don't think it is paranoia preferring NOT to give more information. I think the present service is excellent.
May 26, 2014, 13:37
User photo

could use it even if I wanted too as by the time the verification text comes through, it has already expired.

May 27, 2014, 10:05
User photo
Blue Smurf


I turn on but now I cant receive mail from the iphone (using the mail app).

Can I access my mail from any mail client (without doing it via web) from the iphone?


May 28, 2014, 09:12
User photo

can someone tell me does this mean if  I forget my passphrase that the back-up authenication code will allow me access to reset and get back into hushmail? One of the instructions on hushmail seems to hint at this.

May 31, 2014, 14:42
User photo

I don't like it ! seams to be attempt to gather more info (email and phone #) rather then security. I use the same computer every time yet it wont recognize the thing and ask for that VC sometimes it works sometimes it doesn't


June 2, 2014, 14:42
User photo

Based at which criteria system marks computer as recognized? It isn't possible to emulate them? I had 2FA  at other mail account (text messages) and this account was accessed couple of times by unknown person. Until you can't force system to ask for second verification every time you can't be certain is it working efficiently. Convenience and security; that's two different stories. J


June 2, 2014, 22:13
User photo

Thumbs DOWN for gathering more info

June 12, 2014, 03:09
User photo

Thumbs DOWN for gathering more info - x 2!!

June 12, 2014, 09:55
User photo

I think this is a great addition to security.  I use two factor login whenever I can.  Why go to all the effort to have encrypted email and then allow your account to be hacked?  Thanks a lot for doing this.  

June 27, 2014, 10:12
User photo

I don't always have my smartphone with me to get the text code, nor am I always able to check other elails on all devices. This 2nd layer is a good idea in some instances, but certainly not this one.

July 7, 2014, 06:53
User photo

You are giving me a bloody headache with all your rules and sign in bullshit. I thought I could get away from the awful gmail tonight, but I never want to use your site ever again. So sad you have to waste a good site on braindead rules. Are you all on weed?

July 8, 2014, 03:09
User photo

I tried singing up, but I don't have a mobile phone, so I will delete my account.

July 9, 2014, 02:41
User photo
IF THIS TURNS MANDATORY I AM OUT OF HERE TOO! I dont trust hushmail anymore. When I write a new email and I select the recipients it gives me all the people that I have ever communicated with, even ones that are NOT IN MY CONTACTS. That means that hushmail is saving a list of all the people that I contacted!!! Check it out for yourselves. We are being fooled and robbed! I am waiting for my subscription to end.
July 9, 2014, 06:21
User photo

According to the information on hushmail the two step verification is optional. So those who don't want to use then you don't have to.

July 9, 2014, 13:30
User photo

Nobody is forced to use it, it is free extra security.

July 16, 2014, 13:51
User photo
Yes people here are paranoid. I have 25 years in this business and I can say with confidence that this opt-in feature enhances security. Its not fool proof but its a good incrimental improvement.
If you do not trust hushmail to handle the extra info required, then simply don't opt in.
How secure is your home WiFi? Hushmail's achilles heel is that its servers are in Canada where draconian laws force them to hand over info when presented with a warrant or court order.
I am considering switching to a Sweden based service where privacy is taken seriously and the American and now Canadian Stazi can't get it.
July 20, 2014, 11:04
User photo
Donna Reynolds

matthew99, please advise info re: Sweden-based service, thanks

July 24, 2014, 06:08
User photo

That's why I came to Hushmail in the first place - to avoid more divulging of personal information. No thank you Hushmail - simple online anonymity is my right. I'll stop using this email service if it ever becomes an issue. - R. Goodchild

August 3, 2014, 09:50
User photo

I agree with other users that having to provide another email or my phone number is a breach of my privacy and defeast the purpose of using husmail (the purpose being statying as private as possible). This information is not necessary to protect my account. My long complicated passphrase is protection enough. I've been using email for about 20 years and none of my accounts have ever been hacked/abused. Hushmail is now acting like Yahoo and others in trying to extract more information from its users (even its language - "compromised passphrase being abused" reeks of manipulative alarmism). One can only think that the NSA/CSIS is being this.

August 4, 2014, 10:14
User photo

Its pretty simple solution to fix the privacy concerns: Switch to Google authenticator 2FA. Its used everywhere. Why not you, HUSHMAIL ADMIN?

August 5, 2014, 11:13
User photo
Alfred E. Neuman

I use the Tor browser bundle.  Will I have to use a new code each time I use it since it uses a new isp each time you log in?

August 11, 2014, 12:35
User photo
Dexter Ator

"a verification code that we’ll send by text message to your mobile phone or to an alternate email address"

Great, then the CIA, NSA, etc, will have the verification code. Those are about the only entities that would want to hack into my acct.

Really makes sense to send it by insecure email when one has hushmail.

August 12, 2014, 14:53
User photo
Jaqi C
Hushmail owners will you address the posted privacy concerns please? Thank you.
August 18, 2014, 07:05
User photo

We apologize if it was not made as clear as it could have been but this feature is entirely optional. It is up to you if you want to enable it or not.

August 19, 2014, 11:50
Topic is closed for comments