User

Setting Up 2FA

Step-by-step guide to enabling two-factor authentication on your Opterius Mail account.

Last updated 2026-04-12
  • Recovery Codes
  • Logging In With 2FA
  • Technical Details

    • Setting Up 2FA

    Two-factor authentication (2FA) adds an extra layer of security to your account. After enabling it, you will need your password and a time-based one-time code from your authenticator app to log in. Even if someone learns your password, they cannot access your account without your device.

    What You Need

    A TOTP-compatible authenticator app on your smartphone or computer. Any of the following work:

    • Google Authenticator (iOS / Android)
    • Authy (iOS / Android / Desktop)
    • Microsoft Authenticator (iOS / Android)
    • 1Password (iOS / Android / Desktop)
    • Bitwarden (iOS / Android / Desktop)
    • Aegis (Android, open source)
    • Raivo (iOS, open source)
    • Any other app that supports RFC 6238 TOTP

    All of these apps are interchangeable — the underlying standard is the same. Choose whichever you already use or prefer.

    Enabling 2FA

    1. Log in to Opterius Mail.
    2. Go to Settings → Security.
    3. Click Enable Two-Factor Authentication.
    4. A QR code is displayed on screen.

    Step 1: Scan the QR Code

    Open your authenticator app and add a new account:

    • Google Authenticator: Tap +Scan a QR code.
    • Authy: Tap +Scan QR Code.
    • 1Password: Open a vault item or create a new one → Add a One-Time Password field → scan.
    • Bitwarden: Edit a vault item → Add a TOTP key field → tap the camera icon.

    Point your phone's camera at the QR code shown on screen. The app will add Opterius Mail as an account and immediately begin generating 6-digit codes that rotate every 30 seconds.

    Step 2: Enter the Manual Key (Alternative)

    If you cannot scan the QR code (e.g. you are using a desktop authenticator app that does not have camera access), click "Can't scan? Enter code manually" below the QR code. The app will show you a text string (the TOTP secret key) that you can type into your authenticator app's manual entry field.

    Step 3: Confirm Setup

    Below the QR code, enter the current 6-digit code from your authenticator app into the confirmation field. This verifies that your app is correctly synced.

    Click Confirm and enable 2FA.

    If the code is accepted, 2FA is now active on your account. If you see an error ("Invalid code"), wait for the code to rotate (up to 30 seconds) and try the next code.

    Recovery Codes

    Immediately after enabling 2FA, Opterius Mail displays 8 recovery codes. These are one-time-use codes you can use to log in if you lose access to your authenticator app.

    Save your recovery codes now. This is the only time they are displayed in full. Store them somewhere safe:

    • Print them and keep them in a secure location.
    • Save them in a password manager (1Password, Bitwarden, etc.).
    • Write them down and keep them somewhere safe.

    Each recovery code looks like: XXXX-XXXX-XXXX (a 12-character alphanumeric code in groups of 4).

    You can view your remaining recovery codes at any time by going to Settings → Security → Two-Factor Authentication → View recovery codes. Each code that has been used is shown as struck through.

    See Recovery Codes for full details on using and regenerating them.

    Logging In With 2FA

    After 2FA is enabled, the login process changes:

    1. Enter your email address and password as normal. Click Sign in.
    2. A second screen appears: "Enter your two-factor authentication code".
    3. Open your authenticator app and find the Opterius Mail entry.
    4. Enter the current 6-digit code (it rotates every 30 seconds — make sure you enter it before it expires).
    5. Click Verify.

    You are logged in. If the code has expired before you submit it, wait for the next code and try again.

    Technical Details

    Opterius Mail uses the pragmarx/google2fa-laravel package to implement TOTP as specified in RFC 6238. Key technical notes:

    • The TOTP secret is stored in the user_two_factor table in the database.
    • The secret is not stored in the mail_accounts or any IMAP-related table — it is completely separate from your IMAP credentials.
    • Your IMAP password is never stored in Opterius Mail's database. IMAP remains the primary authentication source.
    • 2FA adds a second factor after IMAP auth succeeds. If your IMAP password is wrong, you will never reach the 2FA screen.
    • Opterius Mail uses a 30-second time window and allows ±1 code window for clock skew (so codes up to 30 seconds old or early are accepted).
    Next
    Recovery Codes →