The Bundesamt für Sicherheit in der Informationstechnik (BSI), Germany’s cybersecurity agency, argues that providers of email services should enable two-factor authentication (2FA) by default, rather than leaving this up to their users.
Protecting consumers from security risks, such as insecure authentication procedures and identity theft, should be a top priority for webmail providers. However, security features like two-factor authentication (2FA) are often optional, difficult to find, or complicated to use.
The German government previously conducted research into the use of 2FA among internet users. Of those who participated in the study, only 34% said they used 2FA, showing a downward trend compared to previous studies.
According to the German Federal Office for Information Security (BSI), this indicates that consumers lack transparency regarding how providers secure their accounts and handle threats such as phishing and spam.
That’s why Germany’s cybersecurity agency has published a new whitepaper. The document describes clear requirements for making webmail services more secure, transparent, and user-friendly.
One of the key actions is that webmail services should enable login methods by default, such as 2FA, passkeys, or biometric verification. In addition, password rules should follow current security recommendations.
Furthermore, recovery processes are often confusing, especially when an account takeover is involved. Therefore, webmail providers should make account recovery options reliable, transparent, and always available, even if attackers have manipulated stored data. Providers should offer clear guidance, multiple communication channels, and optional identity-based verification to prevent loss of access.
The BSI emphasizes that secure email communication is fundamental to digital participation. Providers are encouraged to proactively adopt these measures and make security a visible part of their service offering.
“With this whitepaper, we want to strengthen consumer protection in one of the most important areas of digital life. Transparent, secure, and user-friendly email services are essential for digital sovereignty in Germany,” the BSI states.
Caroline Krohn, Head of Digital Consumer Protection at the BSI, adds that “only if protective measures are understandable, interoperable and suitable for everyday use, they will have their full effect.”
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked