Profile and Security Info

1. Frequently Asked Questions
2. Two-Step Verification (2FA)

1.1. How can I set up push notifications?

Pobox supports push notifications from your email filters to apps that accept third-party notifications. (At the current time, this is Prowl and Pushover. If you are using a different app, please let us know.)

To set up a push notification, you need:

  • an app for your smart phone (get Prowl or Pushover)
  • key from that app (in Prowl, this is called an API key; in Pushover, it's your User key)
  • a filter that should trigger the push notification

To set up push notifications, tell us your app and key in the Profile section.

Notices are sent for email filters you create with action "Push Notification".

 

1.2. How can I authorize a friend or family member to make account changes for me?

You can add Administrator access to your account. Administrators can make changes to your settings, but cannot pay bills or add other administrators. If you want to designate another Pobox customer to both administrate your account and pay your account bills, we can merge your account access to theirs, while maintaining two separate accounts. Contact Customer Support and indicate who you are merging accounts with.

1.3. Can I send my bill to another Pobox customer?

There are 2 methods for having another Pobox customer receive your bill.

If you would like another Pobox customer to pay for your account, invoiced separately from their own account, just go to your authorizations page, and enter their email address as your billing contact.  They will be sent an email asking them to confirm that the request to pay for your account.  Once they approve the request, your bills will be sent to them in the future.

If they would like the bill for your account to be included with their account on a single bill (instead of both accounts being billed separately), just send an email to Customer Support asking them to merge the bills for the two accounts.

1.4. This account forwards to several places. How can I target the bill?

You can specify which address on an account receives the invoices. This address will receive invoices and receipts. If this address is removed from the account, invoices will revert to going to all accounts, so remember to reset it if the invoice address is removed.

1.5. Setting up a security question

Though there are problems with security questions, they are the best way we have of authorizing access to your account if you lose access to your forwarding address, or you have a Mailstore account. To avoid letting acquaintances gain access to your account, we do not use standard security questions like "What is your mother's maiden name?" Pobox allows you to set your own security question.

A good security question is one where it would be difficult to know, look up or guess the correct answer. A good security question should also have an answer that stays the same over time. So, "What street do I live on?" is a bad security question. "What was my bike's nickname when I was 7?" is a good security question.

1.6. What characters can I use in a Pobox password?

There are no characters prohibited from use in a Pobox password at this time. Passwords are limited to 72 characters in length, the maximum accepted length for our encryption cypher, the bcrypt algorithm.

1.7. Tips on choosing a good password

It's incredibly important to keep your email password secure. Many banks, online retailers and other web services will allow you to reset your password by sending a message to your email account. So, if someone guesses your email password, it's possible for them to gain access to many of your other accounts through it. How can you keep your email password secure?

  1. Don't reuse passwords for your important accounts. A password is only as secure as the least secure site you use it on.

  2. Make it hard to guess. Again, a password is only as secure as you make it, and if you use the password "password" (which a very surprising number of people do), it's not going to be that hard to guess. Use a mix of letters and numbers, and make it at least 8 characters.

  3. Write it down. As I read somewhere once, "we've already developed a system for keeping important, private information secure. It's called a wallet."

  4. Get help. Programs like 1Password, which generate random passwords, keeps track of stuff, and can auto-fill passwords across browsers, are really useful. Then, you only need to keep the password for 1Password very secure.

There are also lots of passwords you don't have to worry about. Unless you are worried about people masquerading as you, any passwords you need for message boards, photo sites or any sites where you don't have a credit card on record, re-using the same password is fine.

1.8. Tips on choosing a secure security question

This originally appeared on the Pobox Blog as Lock it down: Good (and bad) security questions!

In order to retrieve your Pobox password, we ask you to answer (among other things) the security question you set up when you created your account. But are you using a good question? Your account is only as secure as your security question.

Pobox lets you specify the question yourself, so you don't have to use the classic "What is your mother's maiden name?" Fully 10% of Pobox customers use some variant on this question -- but research indicates it's not a very safe way to secure your account. (Neither is "What is my pet's name?", if you ever talk about or post pictures of your pet online.)

Your security question and answer can be updated at any time, so go take a look at what yours is. If you can use any question, though, how do you pick a good one?

  1. The answer should be hard for someone else to find out. This is a security question, and knowing the answer to it provides access to your account. Like a good password, that means it should be hard for someone else to figure out. So, "What is my high school's mascot?" is not secure at all. "What was on the cover of my sticker book?" is much better (though using it would probably would still have let my sisters break into my account.)

  2. The answer should be hard to guess. Any question where the answer is a month, a color, a day of the week, a number under 10 or basically any other limited list of answers is a bad question. "What month did I get married?" only has 12 possible answers. Same with "What color is my bedroom?" Unless you know you'll always remember the paint was called "Deep Sea Diving", guessing "blue" would only take 5 or 6 tries, max.

  3. The answer shouldn't change over time. The Pobox default security question is, "What is your favorite book?" This is great for me -- my favorite book has been the same for 15 years, or as long as I've been using that as my security question! But, if your favorite book changes every few years, this might not be a good choice for you. Per question 2, "The Bible" would also be a bad answer to this question, because so many people use it. If the Bible is your favorite book, consider a different security question, or using your second favorite.

We have also had more than a few uncomfortable customer service situations over questions like, "Who is my lover?", with respondents having to go back to girlfriends 5 or 6 back to come up with the correct answer.

Another problem is that many, many customers find it difficult to answer their security question correctly. Also consider these factors when writing your question.

  1. Write the question so it's easy to always give the same answer. So, "Who was my kindergarten teacher?" could be Susan Jones, Ms. Jones, or Miss Jones. "What was my kindergarten teacher's last name?" only has one answer -- Jones.

  2. Give a real answer. Some customers will tell us, "Security questions aren't secure, so I just put in random letters and numbers as my answer!" That's great, if you're writing them down and keeping track of them, or using a password crypt like 1Password. But, if you just hit whatever random keys you like, and don't keep track of them, we have no way to confirm you are who you say you are. If you forget/lose your password, and need to gain access to your account, you have basically made it impossible for us to grant it to you.

So, what are some questions that are hard to find out, hard to guess, unlikely to change over time, but easy to always type the same? A good list of questions is different for everyone, but try one of these real questions on for size!

Who was your first crush? (unless the answer is "my spouse") Who knit your baby blanket? (unless the answer is "my mom") What was your childhood stuffed animal's name?

Another good choice is something that wouldn't mean something to someone else, but makes sense to you. So, for instance, I have a piece of furniture in my house. It's not a cabinet, it's not a table, it's not a buffet or a curio cabinet. It's something in between. So, I call it Joe. For me, "What is the furniture with a name called?" would be a good question, though you probably shouldn't use it yourself. One of the best security questions I ever saw was "Who has skinny feet?" I'm sure the person who used it could answer that question in a second, but it would be very difficult to guess if you weren't them.

Even if you're 100% positive you used an awesome security question when you created your account, go look at yours now, and make sure you know the answer. If you are using an insecure security question, change yours today. Though no one likes to believe that someone would want to crack their account, it can and does happen. Be your own best first line of defense, and make sure your security questions and passwords are strong and secure.

1.9. How do you use my contact information?

We use your contact information for a variety of purposes, and we ask that you keep it up-to-date. Update your contact information now.

  • If there is an urgent problem with your account, we may call you.
  • If customer service needs to verify your account, this information is used in our multi-point verification.
  • If you submit a payment without enough information, we can match it to your account using your address from your check or envelope.

We do not use your contact information:

  • to make money. We will never sell, lease or share your personal contact information.
  • to send you ads or paper mailings. Pobox will only contact you via email.

1.10. How do I reset my password?

Changing your password when you are not logged in

In order to set a new password for your account, you can use the reset password page.

Once you enter your Pobox address and click "Submit", we'll send an email to your Contact Email address. This message will contain a link that you can follow to change the password for your account.

If you do not receive this email within 20 minutes or so, please check any Spam or Junk Mail folders where your ISP might have filtered the message. If it is not there, please contact us here at pobox@pobox.com.

If you want to send a password reset request to an address different from the forwarding address you have on file, please use our security form.

Changing your password when you are logged in

After logging into your account, you can change your password. You will have to re-enter your password before you can create a new one.

1.11. Where are password reset emails sent?

By default, all the forwarding addresses on your account get a password reset email when you request it.  If you would like to add an additional address (which we recommend for any Mailstore customers who do not forward their mail), you can add one at the Password Recovery page.  

If you have more than one forwarding address on your account, and would prefer that not every address receives a password reset link when you request one, you can also select which address receives them by targeting your administrative messages.


2.1. Instructions for setting up Two-Step Verification

Two-step verification provides a second layer of security to your email address. Below you can find instructions for how to setup two-step verification on your Pobox account.  Please make sure you have downloaded an App that generates a 2FA token before proceeding.

1.) Login to your Pobox account and navigate to "Profile & Security" on the right side of your screen. 

2.) Click on "Edit" next to "No SMS Lockout Codes" to set up your lockout methods in the event your device that is used to setup Two-step verification is lost or destroyed.  This is important because Customer Service is not able to turn off two-step verification on a user's account.  Input your phone number in the first box and click "send" to have a text message sent to your phone containing your code.  Next, input the code received in text message below where you input your phone number and click "Set Up" to set up your SMS Lockout.  After that, click on "Show Codes" in below the SMS lockout Code section. You will see 10 unique lockout codes that you can use to access your account in the event you lose the device you setup two-step verification with.  **Please print out or store these lockout codes somewhere safe and where you can access them in the event you get locked out of your Pobox account.



3.)  In the Two-Step Verification section click on "Edit" next to "No Time-Based (TOTP) verification" to begin setup of Two-step verification on your account.


4.)  After clicking "Edit" you will be prompted to input your Pobox account password.  


5.) After inputting your Pobox account password You will see a button that reads "Display your QR Code".  Click this button to display your QR code.

6.)  After clicking "Display Your QR Code" a QR code will appear.  Use the authenticator app that you download to scan this QR code so a token is generated.  Once the token is generated, input the token in "Step 2" and click "Submit".  

7.) After clicking submit you will be redirected to the SMS Lockout page to verify that you have set up your SMS lockout method and that you printed your lockout codes. If you see two green check marks next to "Phone number for SMS Lockout Code" and "Lockout Codes" that means you have successfully configured two-step verification on your account.


8.) Once two-step verification is enabled on your account and if you use an email program like Outlook or Mac Mail, you will have to set up an app-specific password to use in your mail client.  You only need to configure this if you have a Mailstore account and you use a different mail client other than the included Webmail client or if your email program sends mail through smtp.pobox.com.  To configure your app-specific password please visit App-Specific Password. App-specific passwords cannot be the same as your main account password. Once you've added the app-specific password, update your email programs to use the new password immediately.

If you have any problems or questions, feel free to contact customer service at Pobox@pobox.com


2.2. YubiKey set up instructions

To set up your account to use your YubiKey for two-step verification, please login to your Pobox account.

Next, navigate to "Profile & Security" on the right side of your screen.

On the next screen, please click "Edit" next to "No YubiKey Verification".


After you click "Edit" you can add a description to the YubiKey that you're setting up.  In the screenshot below you will see "Test YubiKey" in the description section.  After you add a description, plug your Yubikey into a USB port on your computer and click inside the box that reads "Tap YubiKey now".  When you have clicked inside the "tap YubiKey now" box, you can now tap your YubiKey to generate your token.


Once you have tapped on your YubiKey, you should see the token of random characters automatically generate and your changes should also be automatically saved.  If it hasn't saved automatically, please click on "Save Changes" and you should see the below screenshot confirming that everything was setup correctly.


You have now successfully setup your YubiKey for use on your Pobox account.

Please be sure to print out your Lockout codes. Without them, if you lose your YubiKey, you will not be able to regain access to your account. To print out or store your lockout codes, please visit Lockout codes.

If you have any questions or problems, please contact us at pobox@pobox.com.


2.3. About two-step verification / two-factor authentication

Two-step verification (also known as two-factor authentication or 2FA) provides a second layer of security to your email address. In addition to requiring something you know (your password), it also requires something you have (generally, your phone or a hardware token). Requiring a second element, often called a token, helps protect you from a number of common methods of gaining your password, like keystroke logger on public terminals, gaining access to your network connection, or even just looking over your shoulder when you type your password in. Unless the attacker also has access to your (constantly changing) second token, your password alone cannot be used to log in to your Pobox account and change your settings.

2.4. Is SMS-based Two-Step Verification insecure?

The National Institute of Standards and Technology (NIST) recently released a new draft of the Digital Authentication Guidelines.  In this, it was explained that the NIST can no longer recommend the use of SMS-based Two-Step Verification and does not consider this secure anymore, due to the threat that a determined attacker could cause your mobile phone provider to transfer your telephone number to a new device.

Pobox has never provided SMS-based Two-Step Verification. Our primary lockout codes have always been either time-based one-time passwords (TOTP) that are only available for 30 seconds using an authentication app like Google Authenticator (for more visit other authentication apps), or a Yubikey hardware token.

For Pobox Two-Step Verification, SMS-based codes are used for lockout purposes only. Any use of an SMS code will cause an email confirmation to be sent to your admin contacts, so you know if this method has been used. We feel this balances the potential attack vector with the most convenient avenue of recovery should you lose access to your primary lockout codes.

We also provide printable lockout codes, which you may choose as your exclusive backup method. (If these printable lockout codes are used, Pobox will also send you a message informing you that one of these codes have been used to access your account.)  If you use printable codes exclusively, please do NOT store those codes on your handset; make sure they are in a secure location.


2.5. Apps that generate 2FA tokens

Pobox's software two-factor authentication uses Time-based One-Time Passwords (TOTP). Many applications support generating tokens using this format, including:

We also support the YubiKey hardware token's YubiKey OTP, which you can set up on this page. (We do not support FIDO at this time.)

2.6. Where can I find my one-time token?

Your one-time token can be found in a few places, depending on what you use as a two-step verification tool:

  • The app you used to set up two-step verification (the one you used to scan your QR code)
  • Your YubiKey hardware token (Find out more about Yubikey)
  • The list of lockout codes we asked you to store during two-step verification setup
  • by requesting a one-time lockout code via SMS, if you were able to set up SMS with your carrier

The tokens from your app are only good for 30 seconds each. If you've stored an old one, please open the app and get a fresh one. 

2.7. Can I link multiple YubiKeys with my account?

Each physical YubiKey token has its own unique identifier. YubiKey recommends having more than one token to reduce the risk of being locked out of your account because of token loss. You can link up to 5 YubiKey tokens with your account.

2.8. How can I get a lockout code via SMS?

To receive one-time lockout codes via SMS, you need to confirm your mobile number as capable of receiving SMSes from us. (SMS lockout codes are not available in all countries / mobile networks.) Set up SMS lockout codes. You should enter your phone number with its international country code first. (The United States is +1.)

Please note that setup is not complete until you enter the confirmation code we send you via SMS on the web.

If you lose or reset your smartphone, you can request your SMS lockout code after entering your password, by clicking the link "Request a one-time lockout code." This link is only available if you've set up SMS lockout codes!

Once you've set up lockout codes, you need to set up two-step verification for your account. Primary two-step verification uses time based one time passwords, and requires an app on your computer or smartphone, or a hardware token.

2.9. App-specific passwords and two-step verification

If you have enabled two step verification and use an email program like Outlook or Mac Mail, or your email program sends mail through smtp.pobox.com, you need to set up an app-specific password in order to send or receive email. (Email programs cannot use 2FA -- it is for the web only.)

App-specific passwords cannot be the same as your main account password. Once you've added the app-specific password, update your email programs to use the new password immediately.

 

2.10. What happens if I replace or reinstall my phone?

Your 2FA secret is tied to the physical device you set it up on. If you lose that device, need to restore it from a backup, or even just delete the app then put it back, the ONLY way to get into your account is using one of your lockout codes. Store a copy of them now! The simplest way to store them is to just print them out, but keeping them in a secure digital location (like in a password vault like 1Password or LastPass) also works. 

This is true whether the phone is lost, stolen, destroyed, sold, replaced or reinstalled. Your 2FA secret is stored on the specific physical device you set it up on, and on that device only. The secret is not stored in backups or syncs, so restoring a new device from a backup of your old device will NOT set your 2FA up again.

Why? If Google Authenticator synced your 2FA secret, then someone else could gain access to your 2FA codes by simply setting up a new phone/device from a backup of yours. 

So, store your codes and keep them in a safe place.