EmailDiscussions.com

EmailDiscussions.com (http://www.emaildiscussions.com/index.php)
-   FastMail Forum (http://www.emaildiscussions.com/forumdisplay.php?f=27)
-   -   New features to keep your FastMail account even more secure (http://www.emaildiscussions.com/showthread.php?t=71922)

FredOnline 18 Jul 2016 02:41 PM

New features to keep your FastMail account even more secure
 
https://blog.fastmail.com/2016/07/18...n-more-secure/

janusz 18 Jul 2016 05:55 PM

From the blog:
Quote:

When you set up third party apps to access your FastMail account (such as Outlook or Mail.app on your phone or desktop), in the future you will need to log in to the web first and get a special app password.
I strongly suspect that, when this is implemented, something nasty is going to hit the fan.... :rolleyes:

edu 18 Jul 2016 06:32 PM

I hope I will be able to use FreeOTP app with it...

GeraldR 18 Jul 2016 07:42 PM

2FA via SMS to Two different cell phones
 
Consider someone who is frequently in two countries with a cell phone number for each one (because roaming charges are too high). How do they use 2FA with SMS under the new system?

janusz 18 Jul 2016 07:48 PM

In all cases I know of (not that many, actually), receiving SMS messages is free while roaming.

DumbGuy 18 Jul 2016 08:12 PM

While I'm quite happy with the current Alternative Logins structure, I'm also looking forward to this new password system revamp. I know the FM folks have been planning and developing this new system for a while now, so great to see it's ready for launch.

@GeraldR: Maybe get a free Google Voice phone#. Incoming SMSs there you can set to forward to various destinations simultaneously.

janusz 18 Jul 2016 08:24 PM

Google Voice can be forwarded to US numbers only

DumbGuy 18 Jul 2016 08:36 PM

Quote:

Originally Posted by janusz (Post 595042)
Google Voice can be forwarded to US numbers only

Ok, but they also forward to email addresses. Maybe use a 2nd/free email account just to receive those SMSs from Google Voice? Or, maybe somewhere out there is a email-to-SMS gateway service for the relevant country mobile# being used.

robn 18 Jul 2016 08:55 PM

Quote:

Originally Posted by GeraldR (Post 595038)
Consider someone who is frequently in two countries with a cell phone number for each one (because roaming charges are too high). How do they use 2FA with SMS under the new system?

You can add both numbers. You'll then be offered a choice of number to send to during login.

fmail_fan 18 Jul 2016 09:14 PM

Additional security isn't really a requirement for me. I'm perfectly happy with the current authentication process so I'm hoping that this 2FA change is optional. That's not clear to me based on what I've read so far unless I've missed it.

FredOnline 18 Jul 2016 09:16 PM

Quote:

Originally Posted by robn (Post 595044)
You can add both numbers. You'll then be offered a choice of number to send to during login.

Presumably Fastmail will charge for SENDING the SMS Text?

robn 18 Jul 2016 09:35 PM

Quote:

Originally Posted by FredOnline (Post 595046)
Presumably Fastmail will charge for SENDING the SMS Text?

No. We're wearing the cost on this one. Being locked out of your account because you didn't have any SMS credit would not be cool.

BritTim 18 Jul 2016 09:40 PM

Change is not always good but, on first reading, these seem like well thought out and excellent enhancements.

Will we able to use U2F to secure access to file storage?

robn 18 Jul 2016 09:49 PM

Quote:

Originally Posted by BritTim (Post 595049)
Will we able to use U2F to secure access to file storage?

U2F can be used to secure access to the web interface as a whole, including the files app. It can't be used for WebDAV or FTP because those protocols do not have support for it.

pjwalsh 18 Jul 2016 10:14 PM

U2F and app-specific passwords are great advances in FM login security.

A post comparing U2F with the standard Yubikey OTP:
http://www.emaildiscussions.com/show...7&postcount=24

Chrome supports U2F, Firefox does not.
Sadly, Mozilla has yet to implement U2F support.
Others might list other browsers that support U2F.

Amazon links for U2F capable keys:
Yubikey U2F only 18 USD
Yubikey 4 40 USD
Yubikey NEO 50 USD

jkc054 19 Jul 2016 12:44 AM

I hope this is voluntary and not mandatory. If mandatory I may have to look for another email provider and what a pain that will be. :confused:

BritTim 19 Jul 2016 01:34 AM

My reading of this is that, if you just use a single password for access to your account, the only change you will see if that the URL of the login screen changes.

For people who only use email for casual correspondence, these changes are not especially important. However, where email contains potentially confidential communications, it becomes important to keep accounts secure. 2FA, and especially U2F, are useful tools in assisting to ensure this, as are app/device specific passwords.

FredOnline 19 Jul 2016 02:03 AM

Quote:

Originally Posted by robn (Post 595048)
No. We're wearing the cost on this one. Being locked out of your account because you didn't have any SMS credit would not be cool.

Followed by a price increase on all plans to cover overheads?

ChinaLamb 19 Jul 2016 02:08 AM

I'm currently only seeing the old "Alternative Logins" when will the Two-Factor options be available?

FredOnline 19 Jul 2016 02:34 AM

You could go to the link in post #1 and read it.

ChinaLamb 19 Jul 2016 02:46 AM

Quote:

Originally Posted by FredOnline (Post 595070)
You could go to the link in post #1 and read it.

Thanks, Fred. A simple Next Monday would have sufficed.

Read it before, missed that detail.

/cl

pjwalsh 19 Jul 2016 02:47 AM

Quote:

Originally Posted by ChinaLamb (Post 595068)
when will the Two-Factor options be available?

Good question. From the blog:

Launching next Monday July 25.

Current alternate logins terminate August 31.
If you're currently using our "alternate logins" system, you will need to migrate to the new system sometime in the next month. We will be removing all old-style "alternate logins" on 31st August. Also, please note that if your alternate login has a second factor, you will now be asked for this after submitting your username and password, rather than entering it on the initial login page.
https://blog.fastmail.com/2016/07/18...en-more-secure

--
There'll be blog posts each day this week explaining the new login security features in detail.

robn 19 Jul 2016 05:35 AM

Quote:

Originally Posted by pjwalsh (Post 595053)
U2F and app-specific passwords are great advances in FM login security.

I'm of the opinion that its more secure and and more user-friendly than any other consumer-grade two-factor out there. I've been telling anyone that will listen and we're hoping to do more presentations about U2F in the future.

Quote:

Chrome supports U2F, Firefox does not.
Sadly, Mozilla has yet to implement U2F support.
Others might list other browsers that support U2F.
All Chromium-based browsers should support it (Chromium, Chrome, Opera, Vivaldi, etc).

There is an extension for Mozilla, but no native support yet. I'm told that there are Mozilla engineers interested in it, but its currently quite difficult to do securely in Mozilla due to the lack of sandboxing. I'm sure they'll get there in time.

Quote:

Amazon links for U2F capable keys:
We've tested with U2F devices from Hypersecu, Feitian, Neowave, Happlink and Nitrokey. At 9 euro the Nitrokey U2F is the cheapest one we've found, so it's certainly not expensive to get started.

Of course we'll continue supporting TOTP and other methods for the forseeable future.

robn 19 Jul 2016 05:38 AM

Quote:

Originally Posted by jkc054 (Post 595063)
I hope this is voluntary and not mandatory. If mandatory I may have to look for another email provider and what a pain that will be. :confused:

It's not mandatory. If regular username & password works fine for you then you can continue do that.

robn 19 Jul 2016 05:45 AM

Quote:

Originally Posted by BritTim (Post 595064)
For people who only use email for casual correspondence, these changes are not especially important. However, where email contains potentially confidential communications, it becomes important to keep accounts secure. 2FA, and especially U2F, are useful tools in assisting to ensure this, as are app/device specific passwords.

I'd argue that with the continuing use of email as the recovery option for most internet services, and with the prevalence of phishing scams, some sort of 2FA is worthwhile for all users. Unfortunately it is more complicated and requires some extra vigilance that is difficult for many users, so 2FA is unlikely to be something that we ever mandate. We are going to recommend it wherever possible and keep doing whatever we can to drive adoption

pjwalsh 19 Jul 2016 06:45 AM

Quote:

Originally Posted by robn (Post 595084)
There is an extension for Mozilla, but no native support yet. I'm told that there are Mozilla engineers interested in it, but its currently quite difficult to do securely in Mozilla due to the lack of sandboxing. I'm sure they'll get there in time.

So.. does the extension do it securely?

https://addons.mozilla.org/en-US/fir...support-add-on

--
You can test a U2F key here:
https://demo.yubico.com/u2f

robn 19 Jul 2016 07:02 AM

Quote:

Originally Posted by pjwalsh (Post 595087)
So.. does the extension do it securely?

My understanding of the issue is that the browser has to connect to the USB system in order to communicate with the U2F device. If this isn't done carefully, then it might be possible for arbitrary Javascript code to talk to any of your USB devices - disks, network devices, etc.

This is easier for Chrome to protect against because it already has its sandboxing model where as a last line of defence, Javascript can't do anything outside of its running context (usually the current tab).

Mozilla doesn't have this sandboxing model, mostly for legacy reasons, so the USB supports needs to be implemented very carefully. It can't afford to be wrong as there isn't that last line of defence.

The (long) dev discussion is here: https://bugzilla.mozilla.org/show_bug.cgi?id=1065729.

Back to your original question about the extension. I don't know anything about it really, and I'm not a Mozilla user, so I can't really say anything about its security characteristics. If its implemented the way that seems obvuous to me (a secondary task using libu2f-host to communicate with the U2F device) then it's probably not too bad and I would probably use it.

Ultimately though you don't really have much guarantee about anything unless you're willing to go to a lot of effort. Chrome could be broken for all I know. I trust my browser because the alternative is more effort than its worth. You know your own security needs, so you'll need to make the best choice for yourself.

fmail_fan 19 Jul 2016 09:43 AM

Quote:

Originally Posted by robn (Post 595085)
It's not mandatory. If regular username & password works fine for you then you can continue do that.

Glad to hear it.

GeraldR 19 Jul 2016 08:01 PM

2FA via SMS to Two different cell phones
 
Quote:

Originally Posted by robn (Post 595044)
You can add both numbers. You'll then be offered a choice of number to send to during login.

Thanks, that will solve it.

FredOnline 19 Jul 2016 09:14 PM

Has anyone had notification from Fastmail of the new features in their Fastmail inbox?

I've had nothing yet.

glass 19 Jul 2016 10:32 PM

"If you're currently using our "alternate logins" system, you will need to migrate to the new system sometime in the next month. We will be removing all old-style "alternate logins" on 31st August."

What does this mean for the other types of alternate logins, such as OTP?

robn 20 Jul 2016 08:43 AM

Quote:

Originally Posted by glass (Post 595100)
"If you're currently using our "alternate logins" system, you will need to migrate to the new system sometime in the next month. We will be removing all old-style "alternate logins" on 31st August."

What does this mean for the other types of alternate logins, such as OTP?

OTP set, 1-hour OTP/SMS and Yubikey one-factor are being removed. They will no longer work from release on Monday.

Terry 20 Jul 2016 09:15 AM

Why do you keep changing things, is the extra security really needed or is it just to make it harder to use the old UI

BritTim 20 Jul 2016 09:22 AM

Quote:

Originally Posted by Terry (Post 595126)
Why do you keep changing things, is the extra security really needed or is it just to make it harder to use the old UI

I am not a fan of change without good reasons. I support this set of changes. It is a fact that security on the Internet is becoming ever more of a challenge. We need the best possible tools to respond to this.

Terry 20 Jul 2016 09:27 AM

Perhaps it's to drive another nail in the classic UI coffin.:D:D:D
'
We are getting so many changes and I really don't like many of them so I am now about to try something else, but if I don't like it I have only lost $40

pjwalsh 20 Jul 2016 01:19 PM

Quote:

Originally Posted by edu (Post 595035)
I hope I will be able to use FreeOTP app with it...

No reason why not. TOTP is an IETF standard FastMail will continue supporting (post #23 above).

Glad you asked the question, I wasn't aware of FreeOTP. I've installed it on my Android devices.

https://play.google.com/store/apps/d...hosted.freeotp

Fabrio 20 Jul 2016 02:27 PM

Which Yubikey
 
I read the article on the new 2FA - I am looking at getting a yubikey specifically one with NFC - but I am confused about which one is appropriate. The article mentions the OLD yubikey and has a link to yubico which takes you to a page showing the NEW yubikeys
(The article also only gives a link to twitter to follow the discussion - and no mention of this forum)
Anyway IŽd appreciate any assistance on this

robn 20 Jul 2016 02:48 PM

Quote:

Originally Posted by Fabrio (Post 595137)
I read the article on the new 2FA - I am looking at getting a yubikey specifically one with NFC - but I am confused about which one is appropriate. The article mentions the OLD yubikey and has a link to yubico which takes you to a page showing the NEW yubikeys
(The article also only gives a link to twitter to follow the discussion - and no mention of this forum)
Anyway IŽd appreciate any assistance on this

Before U2F was available, YubiKeys supported an older OTP mechanism. If you have an old key, they won't support U2F but can still be used with FastMail because we implement the OTP mechanism.

If you're buying a new YubiKey, they all support both mechanisms, and we recommend using the U2F mode because its more secure.

glass 20 Jul 2016 08:24 PM

Quote:

Originally Posted by robn (Post 595125)
OTP set, 1-hour OTP/SMS and Yubikey one-factor are being removed. They will no longer work from release on Monday.

I currently have:
password I can't remember (it's in my password manager, only accessible from my local computer)
password I can remember that requires 2fa (totp on phone)
password I can remember that requires an otp from a list I have printed out

So now if I want to be able to login when I don't have my phone, I will have to change my password to something I can remember and disable 2FA?

That doesn't sound "even more secure".

DumbGuy 20 Jul 2016 08:39 PM

Quote:

Originally Posted by robn (Post 595125)
OTP set, 1-hour OTP/SMS and Yubikey one-factor are being removed. They will no longer work from release on Monday.

Wait, I thought we had until 31-Aug-2016 to transition our Alternative Logins to the new authentication mechanism.


All times are GMT +9. The time now is 02:41 PM.


Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy