Germany’s federal cybersecurity authority is urging major webmail providers to turn on two-factor authentication by default. The guidance comes from the Bundesamt für Sicherheit in der Informationstechnik, which published a new white paper describing widespread gaps in consumer account protection. According to the agency, many authentication features are visible only after navigating multiple menus, and most remain disabled unless users actively enable them.
Recent survey data cited by the BSI show that only about 34% of users have two-factor authentication activated on their email accounts. The agency considers the figure too low given the frequency of account takeover incidents linked to phishing, credential reuse and weak passwords. Webmail accounts remain a primary target for attackers because they often serve as recovery channels for a wide range of online services.
BSI recommendations for default protection
In the white paper, the BSI recommends that providers activate strong authentication methods by default rather than relying on user action. The suggested methods include two-factor authentication, passkeys and biometric login options. Providers are also asked to ensure that password rules meet current security standards and that recovery mechanisms can withstand attempts by attackers to manipulate stored information. The agency highlights the need for clear instructions, predictable steps and multiple recovery channels.
The BSI noted that recovery processes frequently fail when attackers alter contact details or linked information. To address this risk, the agency advises providers to design recovery flows that verify identity through reliable signals and do not rely solely on outdated contact information. The goal is to prevent both account lockout and unauthorised access.
Caroline Krohn, head of digital consumer protection at the BSI, said that secure email systems are fundamental to digital participation. She stated that protective measures are effective only when they are understandable, interoperable and suitable for everyday use.
The call for default protections aligns with broader efforts inside Germany to strengthen cybersecurity requirements across digital services. The BSI noted that visible security features help build trust and support what officials describe as digital sovereignty. Security researchers said that compromised email accounts allow attackers to launch further intrusions by resetting passwords, spreading spam or reusing captured credentials across platforms.
The agency acknowledged that default activation of strong authentication may create challenges for providers that must balance security with ease of use. Some users could view additional login steps as an inconvenience. Security analysts argue that these concerns are outweighed by the benefits of raising baseline protection for all users. Attackers continue to target email accounts because they remain valuable gateways to personal and financial data.
Consumers are encouraged to activate two-factor authentication on all important accounts, even before providers adjust their default settings. Users are also advised to confirm that recovery contact information is accurate, monitor accounts for unusual forwarding rules and avoid relying solely on SMS codes, which can be intercepted.
The BSI’s recommendations will serve as a reference point for ongoing discussions about mandatory security features in Europe. How providers respond will determine whether default two-factor authentication becomes a standard expectation for email services across the region.