Thank you for 2015 & status update

We’re about to start a new year and we’d like to take the opportunity to thank you for your business in 2015 and provide a quick status update.

We’ve spent much of the year steadily growing and improving our email services, mainly focusing on our new IMAP services and improving our server infrastructure.

Additionally, we have been developing 2FA support, working on a new spam filter, and implementing calendar services. These projects are now close to completion, and we expect them to be ready for beta testing early in the new year.

We have also had some other events worth mentioning, such as a new front page that sets Runbox apart from the crowd, a DDoS (Distributed Denial of Service) attack from a group that tried to extort USD 5000 from us but who later gave up and apologized, and being mentioned in The New York Times, Forbes, and The Washington Post as a service focusing on security and privacy.

Furthermore, we have improved our Terms of Service and Privacy Policy to better reflect how Runbox protects the privacy of our customers, and we have explained how our email services are powered by 100% certified renewable energy sources.

And, if you haven’t tried the Aero webmail theme yet, you are definitely missing out!

We plan to make next year even better than this one, so stay tuned…


9 thoughts on “Thank you for 2015 & status update”

  1. Any ball park ETA on the 2FA? This is a huge thing for myself. I can speak personally that I have been waiting about 2 years for this. I would have allowed my subscription to lapse had I note found this blog post. But the issue is 2FA has been “in the works” in some form or fashion for approximately those 2 years. Is it even close are we looking at another 2 years before release.

    I am relegated to using a private browsing session on a secured box only in my home on my home network simply due to the concern of leaking the password. Two factor is not only more difficult to crack but it also allows for auditing in certain forms. ie: Call back PINs and such. You know when someone is trying to login not just after you login and check audits. It gives you notice to respond now and consider yourself under attack. You could notify on these login attempts but that would mean you need a secure method of login at any time from any place. Single factor simply can not provide this outside of the likes of single use passwords.

    Even single use passwords would be a huge addition and far more easily implemented than 2FA. Not that they replace it though and it is still required.


  2. We’ve made substantial progress on 2FA over the past couple of weeks, and are getting closer to our full suite of services supporting it.

    We’ll keep you updated about our progress and when it will be available for testing.

  3. Hi,

    This seems to be taking quite a lot of time… Runbox is great but is lacking security. This is an important feature to implement. Please can Runbox set an expectation for their customers?

    Thanks and keep on the good work!

    1. We’ve had significant progress and have finalized development of our 2FA web interface, which will include functionality for turning services on/off, Two-Step Verification, One-Time Passwords, Trusted Devices, and Application-Specific Passwords.

      We have also spent time improving our new authentication service (which is the foundation for 2FA), to make sure it scales in our production environment.

      What remains is mostly to handle a couple of legacy interfaces to make all of our services use the authentication service instead of native/custom authentication.

      Then we will do some thorough testing, after which we can gradually deploy in production and invite some beta testers.

  4. Hi Geir,

    Many thanks for the update.

    Could you please give us a target date for this to be implemented? Im sure you must have a target date…


  5. Although I have a long secure password with 128-bits of entropy, I can’t remember nor type out all of the characters when I’m not home (such as on a system that I do not own or in a public location with cameras). The ability to generate a list of throw-away one-time passwords and use them in combination Google authenticator codes would be useful.

Leave a Reply

Your email address will not be published.