> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mail.ugmail.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Enable Two-Factor Authentication on UGMail

> Add an extra layer of protection to your UGMail account with two-factor authentication (2FA). Set up a TOTP authenticator app in your account settings.

Your UGMail account controls access to outbound mail infrastructure, API tokens, and domain credentials — making it a high-value target. Two-factor authentication (2FA) ensures that even if your password is leaked or guessed, an attacker still cannot sign in without the one-time code generated by your authenticator app. Enabling 2FA is the single most impactful step you can take to protect your account.

## Why 2FA Matters for Email Infrastructure

Email infrastructure accounts are particularly sensitive. An attacker who gains access can send mail as your domain, exfiltrate contact lists, revoke your own access, or abuse your sending reputation until your domain is blocklisted. A time-based one-time password (TOTP) second factor expires every 30 seconds, so stolen static credentials are not enough to get in.

## Enable Two-Factor Authentication

<Steps>
  <Step title="Sign in to your account">
    Go to [https://my.ugmail.co](https://my.ugmail.co) and sign in with your email address and password.
  </Step>

  <Step title="Open Security Settings">
    Click your account avatar in the top-right corner, then navigate to **Settings → Security**.
  </Step>

  <Step title="Start the 2FA setup">
    Click **Enable Two-Factor Authentication**. UGMail will generate a unique QR code and setup key for your account.
  </Step>

  <Step title="Scan the QR code">
    Open your authenticator app — [Google Authenticator](https://support.google.com/accounts/answer/1066447), [Authy](https://authy.com/), [1Password](https://1password.com/), or any TOTP-compatible app — and scan the QR code displayed on screen. If you cannot scan the code, tap **Enter key manually** in your app and type the setup key shown below the QR code.
  </Step>

  <Step title="Confirm with a one-time code">
    Enter the current **6-digit code** from your authenticator app into the confirmation field and click **Verify**. This confirms that your app is correctly synced before 2FA is activated.
  </Step>

  <Step title="Save your backup codes">
    UGMail will display a set of single-use backup codes. Copy them and store them somewhere secure — a password manager, an encrypted note, or printed and kept offline. You will need one of these codes if you ever lose access to your authenticator app.
  </Step>
</Steps>

<Warning>
  Backup codes are shown **only once**. If you lose both your authenticator app and your backup codes, you will be locked out of your account and will need to contact UGMail support to recover access. Store backup codes in at least two secure, separate locations.
</Warning>

## App Passwords

### What Are App Passwords?

App passwords are separate credentials you create for a specific client or integration — an SMTP relay script, a mail client, a CI/CD pipeline, or a third-party service. Each app password is independent: it grants access only to the service or protocol you configure it for, and you can revoke it at any time without touching your main account password or any other integration.

### Why Use App Passwords?

When you connect an external tool to UGMail's mail server (`mail.ugmail.co`) using SMTP, IMAP, or POP3, that tool needs a password. Giving it your main account password creates unnecessary risk:

* If the tool is compromised, your entire account is exposed.
* Rotating your main password to cut off the compromised tool also breaks every other integration using that password.

With app passwords, each integration has its own credential. Revoking one has no effect on the others.

### Create an App Password

1. Go to **Settings → Security → App Passwords** in your account at [my.ugmail.co](https://my.ugmail.co).
2. Click **Create New**, give the app password a descriptive label (for example, `transactional-mailer-prod` or `thunderbird-desktop`), and click **Generate**.
3. Copy the generated password immediately — it is shown only once.
4. In your mail client or integration, enter your UGMail email address as the username and the **app password** (not your main account password) as the password when configuring the SMTP, IMAP, or POP3 connection.

To revoke an app password, return to **Settings → Security → App Passwords**, find the entry by its label, and click **Revoke**.

<Tip>
  Use a unique app password for every programmatic SMTP or IMAP connection. Descriptive labels like `order-confirmations-service` or `legacy-crm-integration` make it easy to identify and revoke specific credentials without auditing your entire infrastructure.
</Tip>
