What is two-factor login?
Two factor login requires that you in addition to username and password also suply an additional code from an Authenticator App on your mobile phone. This provides an enhanced security since even if an attacker might be able to guess your password, they would not also be in physical posession of your mobile phone.
The Authenticator App produces one-time codes that are only valid for 30 seconds. Then a new code is displayed on the App.
There are several Apps on the market that can be used. The App must implement TOTP (Time-based One-Time Password) security tokens from RFC6238. One free App which is widely used is “Google Authenticator” which is available for both Androids and iPhones. For Windows phones you can for example use the “Authenticator” App.
1) To enable two factor login, you must first have an Authenticator App installed.
2) Then in your Authenticator App select to create a new entry.
3) Log in to your SecureMailbox account using the full version of SecureMailbox (i.e. not the mobile version which does not have all admin capabilities available.)
4) Open your “Account settings” and select the “ID control” tab. Here indicate that you have installed an Authenticator App.
5) Now you are required to authenticate this action by entering a control code sent to your mobile phone.
6) Then a QR code is shown in SecureMailbox with a “secret” that your Authenticator App needs. You can either scan the QR code, or manually type in the secret code.
7) To validate that the process has worked you complete the setup by entering a code from your Authenticator App in SecureMailbox.
8) Now you are almost done. Two-factor login is set up and ready. But, if you loose your phone with your Authenticator App you are permanently locked out from your account unless you have configured a backup phone, or printed some one-time recovery codes. Do so right away if you have not already!
You can read more about how to enable Google Authenticator on the Google help page.
NOTE: It is important that the clock on your phone is correct. The code generation is depending on an accurate time.
Legally correct communication, what does this mean?
SecureMailbox is the first servcie that has been implemented according to the new possibilities to handle all collaboration legally correct in an App. By combining encryption, storage, strong sender authentication of the receiver as well as laws in the right way, the service can help any user or 3rd party App developer to handle classified data, bank secrecy, patient data and personal privacy laws all over the world. SecureMailbox is operating out of Sweden where the constitution provides one of the strongest legal protections in the world of personal privacy.
New! Security Audit
The requirements for this security audit have been assembled to address a combination of common technical issues in evaluating a cloud service. In particular concerns addressed relate to topics brought forward by personal data and patient data privacy legislation such as the EU Data Protection Directive (officially Directive 95/46/EC), the Swedish Personal Data Act (PUL) and Patient Data Act (PDL). In addition, general requirements for security and accessibility were also added.
Is SecureMailbox secured from the OpenSSL Heartbleed bug?
In the beginning of April 2014 a very serious vulnerability was disclosed in the mechanism that is supposed to allow you to connect securely on the Internet to banks, authorities, e-mail providers etc. Our site is not vulnerable to this issue. In addition, since 2013 we also use something called “Perfect Forward Secrecy” to even further secure connections to the SecureMailbox service.
What languages are available in SecureMailbox?
SecureMailbox is built on a multi-language platform, which means that it is easy to add new languages. Today there is English (default), and Swedish. Soon we will add German, French and Spanish.
How secure is SecureMailbox?
Encrypted communications and encrypted storage.
All messages and attachments in SecureMailbox are encrypted with a strong symmetric encryption. In addition SecureMailbox uses a Private Key Infrastructure, to keep individual message keys encrypted. All users in SecureMailbox are assigned their own Private and Public keys to ensure ONLY the intended user is able to read a message. All communication to and from the service is encrypted with HTTPS/SSL using industry standard Extended Validation, EV, SSL certificates from Symantec. EV certificates help you identify that the web site you are communicating with is really the site you want to be at. In some web browsers this is indicated by a green URL address bar.
More about Extended Validation, EV, certificates can be found here: http://en.wikipedia.org/wiki/Extended_Validation_Certificate
SecureMailbox is not exposed to the OpenSSL Heartbleed vulnerability. SecureMailbox uses Perfect Forward Secrecy to even further make all networked communication very secure. In cryptography Perfect Forward Secrecy or PFS is a property of key-agreement protocols ensuring that a session key derived from a set of long-term keys cannot be compromised if one of the long-term keys is compromised in the future.
More about Perfect Forward Secrecy, PFS, can be found here: http://en.wikipedia.org/wiki/Perfect_forward_secrecy
Keeping you and your data safe IS our business.
Your data is YOUR data. SecureMailbox reserves NO rights to your messages. Our staff cannot read your messages, in contrast to standard e-mail providers where staff can, and have indeed been found doing so. In SecureMailbox your messages are strongly encrypted, and when you delete a message, and empty your trash, we write over the file and delete it. It’s gone.
In addition you can use message send options such as “
Multifactor identification (strong authentication) is used to ensure you are communicating with the intended person or company.
Triple redundancy and availability.
Your data is always immediately stored with triple redundancy in three separate datacenters. The data centers even have different electricity providers. Ensuring that even if a whole datacenter would go away, your data is still there and the service is still available.
SecureMailbox keeps the encrypted data on servers hosted with Amazon AWS, one of the largest and most secure hosting services in the world. Amazon/SecureMailbox uses multiple layers of operational and physical security to ensure the integrity and safety of your data. AWS is compliant with various certifications and third-party attestations, these include:
- SAS70 Type II. This report includes detailed controls AWS operates along with an independent auditor opinion about the effective operation of those controls.
- PCI DSS Level 1. AWS has been independently validated to comply with the PCI Data Security Standard as a shared host service provider.
- ISO 27001. AWS has achieved ISO 27001 certification of the Information Security Management System (ISMS) covering infrastructure, data centers, and services.
- FISMA. AWS enables government agency customers to achieve and sustain compliance with the Federal Information Security Management Act (FISMA).
SecureMailbox follows the guidelines as issued by the U.S. Department of Commerce regarding collection, use, transfer and conservation of personal data from the European Union, European Economic Area and Switzerland. Additionally, customers have built healthcare applications compliant with HIPPA’s Security and Privacy Rules on AWS.
Can anyone use SecureMailbox?
Yes, the only thing you need is a valid e-mail address and a mobile phone that can receive text messages (with security access codes). Possibly you might need to update/change your browser. See the FAQ section “Which browsers are supported?”. No other software downloads or technical knowledge are required. SecureMailbox offers free secure communication for all e-mail users around the world, where you only pay if you want to use add-on options or upgrade to our premium services.
The e-mail address you use must exist and not bounce (refuse) notifications sent to it.
Do I have to change e-mail address?
No, SecureMailbox isn’t an e-mail provider or into e-mail hosting. SecureMailbox just protects your messages with the most secure encryption technology available on the Internet. All you have to do is sign up and send your most important messages using your account.
You sign up using your existing e-mail address. The e-mail address must exist and not bounce (refuse) notifications sent to it.
What is the cost? Can I change or cancel my Plans at any time?
The basic SecureMailbox service is free for Personal use, but if you decide to use external services (like SMS text messages) or upgrade to our premium services you need to pay that through your account. You put in a small amount €3 or €10 or more, and the purchases you decide to do are then automatically withdrawn from that credit. For Pro, Business or Enterprise please look at our price list. All prices are published in your profile and you can cancel or change Plans at any time.
Is support included?
E-mail support is included and you can use the email@example.com address within the service. For Business and Enterprise customers we offer premium support. Contact firstname.lastname@example.org.
Which browsers are supported?
SecureMailbox supports the two last major versions of the largest browsers on the market (IE, Safari, Chrome, Firefox). Today we have stable users on:
– Chrome 46 and later
– Firefox 31 and later
– Internet Explorer 10 and later (IE9 limited functionality. Please do NOT use the unsecure IE8! If you have an old PC than can not upgrade IE, please install either Firefox or Chrome instead.)
– Safari 9 and later
On iPhone/iOS 6 and later, Android phones and touch pads, the Mobile specific edition of SecureMailbox is only supported on Safari and Chrome. Other browsers are not supported but may work using the non-mobile version of SecureMailbox.
What is being encrypted in the message that I send?
All data in SecureMailbox is encrypted. Both data about your messages as well as the messages are encrypted.
You do need to be aware of that message titles may be included in notifications sent thru standard email or SMS. This can be controlled by the receiver who can select to receive “neutral” notifications without the message titles included.
Where are my messages stored geographically?
Messages are by default stored within the EU, in Sweden.
Organization customers can elect storage in a different region. E.g. a German government entity may want local storage in Germany, or an American hospital may want US storage for their physicians.
Are messages transmitted through SecureMailbox legally binding?
SecureMailbox is a transmission platform, which sends messages confidentially and verifiable from e-mail address A to e-mail address B. SecureMailbox has no influence over the content of the message. Whether messages sent through SecureMailbox are legally binding depends on the content of the messages and cannot be generally answered or influenced by SecureMailbox. As long as the law or the will of the parties do not provide for formal regulations, the form of any agreements between parties are free and thus fundamentally possible verbally, by e-mail, or through certified documents that have been signed.
Please note, however, that the value of the proof for electronically concluded agreements may be subject to a court ruling in each individual case. The question of whether an electronic SMS receipt (Read notification) will be accepted into evidence by a judge is something that we cannot decide. As with normal registered mail, the receipt can be entered into evidence. In a dispute, the judge must decide whether the receipt provides sufficient proof.
Do I need to download any software?
As long as your browser is supported by SecureMailbox you do not need to download any software. See our FAQ section “Which browsers are supported?”.
Is it possible to get SecureMailbox customized?
Yes, SecureMailbox customization is available for Enterprise users. Both the application itself as well as messages can have a custom layout. Contact: email@example.com.
How can I see if someone read the secure message I’ve sent?
There are two ways to check this. The first is the color of the Sent message status in SecureMailbox:
Green: Your message has been read.
Yellow: Read by some of the recipients (but not all).
Red: Your message has not been read at all.
The other way to know when someone has read your message is to use the Send option called Read notification. With Read notification turned on for a message, you get a text notification (SMS) directly to your mobile phone when your message has been read.