@RB: Are you playing with 2FA?
 

I just got redirected to https://runbox.com/mail when trying to log in from the main page, along with a message that my session has expired.

Plus, I now see a options page "Account --> Account Security". However, it doesn't look right.

The login history on "Account --> Main Account" is gone.

Any updates would be much appreciated ;).

Best regards,
gecko

Yes, we have just deployed the latest version of the webmail. Some browsers seem to need the browser cache clearing, or a force reload of the page before they behave as expected.

If you continue to see problems please open a support ticket as it might be a specific combination of issues in your case causing problems.

I too am getting the new "session expired" page, asking me to log in manually.

I've been doing autologin for years. This is the first time it's failed.

I did notice that the URL I was using was slightly different than what's listed today on the FAQ list in the support area; I changed it to what's current, but no luck.

I have submitted a support ticket.

We are working on the problem with auto-fill. Sorry for the inconvenience.

The logins are now shown under Account > Account Security. However, only a limited number are shown and we are going to add the option to show a specific time period.

Hello Dave,

Thanks for the update!

After a brief look at the new features, everything looks great and seems to work as it should.

One thing I noticed is that when 2FA is enabled, each login appears twice in the login history (maybe 1 line added when the password is recognised and 1 more when the correct OTP is entered?).

Not wanting to cavil about the brand new 2FA functionality, so please allow me one more comment: IMHO it would make sense to secure more settings pages with the need to enter the password (and probably a new OTP token), e.g. all the pages under "Account" as well as the "Webmail preferences" page. Alternatively, one could have the one "real" password which should only be used on trusted machines, giving full access to the account vs a combination of OTP & an OTP-specific password. When logging in with OTP, no settings are available.

A long time ago I was a FM customer and I faintly remember that they disabled (or at least allowed disabling) access to all options when logging in with an OTP.

Don't get me wrong, these are just suggestions on how security could be improved even further. But the 2FA as it is now is a huge step forward. Thanks so much!

Best regards
gecko

Hello gecko,

Very happy to receive your suggestions, and I can pass those on for you. We do want to secure more of the pages so we can definitely look at what you have said.

Which of your logins are shown twice? Is it just the web logins or are any other service logins duplicated?

So far I've only tried Web logins and they show up twice.

OK. I have just checked this out and what you are seeing is the initial login, plus the 2FA login. This is normal as it shows both parts of the authentication process.

Some services that implement 2FA do so in a way that makes browsers treat the 2FA code field as a password field, so auto-fill storage may kick in, and maybe you ended up saving that by mistake? Runbox's implementation suffered from this, at least initially. I didn't encounter the problem today when I logged in, though.

Nope, autofill is not enabled here. If I understand Dave correctly, he confirmed my assumption that entering the correct password adds one entry to the login history and entering the correct OTP another.

Yes, there are effectively two steps in the authentication system.

Username/Password = "Unauthorised" but Password Correct
TOTP/OTP = "Authorised" and Password Correct

We are just showing both of these in the logs you see, and for a successful login both will show as "Success".