Thread: New features to keep your FastMail account even more secure
View Single Post
Old 24 Jul 2016, 12:38 PM   #78
robn
Master of the @
 
Join Date: May 2012
Location: Melbourne, Australia
Posts: 1,007

Representative of:
Fastmail.fm
Quote:
Originally Posted by gardenweed View Post
So my understanding is that 3 logins methods will be supported aft 31-Aug as bulleted above.
And that when using TOTP, you will be able to nominate a pc as trusted, and not have to use 2-factor after the initial login - I gather that the password will be saved.

I assume that all of these login types will be restricted access sessions, and that full access will be restricted the master password sessions.

Ok, here's my attempt to clarify everything. This is all in the new documentation and you'll be guided through it in the UI, so no need to memorise this.

You have a "master" password. Just one. It's what you use to access your account via the web. It's a "full access" login (there's no such thng as "restricted" logins anymore, except during the transition period where existing "Alternative Logins" continue to work. I've written more about restricted logins below).

From the web interface, you can access the new "Password & Security" screen. This asks for your password before you can make any changes (the "master" password - you only have one).

Here, you can, if you choose, add and verify a recovery method - either an email address or SMS number. This will be used to help you recover your account should you ever lose access to it (lost password and/or second factors).

Once you've added a recovery method you can, if you choose, add second factor options to your account - U2F, TOTP (ie "Google Authenticator") or old-style YubiKey OTP. You can add as many of these as you like.

Once you add second factors, you will be required to use a second factor along with your password (the "master" password) during web login. When you use your second factor, you will be offered the option to trust the current device. If you take this option, you will NOT be asked for a second factor the next time you login from the current device (actually browser; it's tracked with a cookie).

If you have added an SMS recovery option and a U2F, TOTP or YubiKey OTP second factor, you will also be offered the option to use a code sent to your phone as your second factor during login.


There are options in the Password & Settings UI to remove trust for the current device or for ALL devices. Removing trust simply means that you will be asked for a second factor at login again. You can also individually logout web sessions, just as you can now.


For non-web logins (any IMAP/CalDAV/CardDAV/SMTP/LDAP/FTP clients), you create app passwords. When creating, you specifiy which protocols the password will be valid for. The idea is that you'll create a single password for every app you use. The passwords are generated by the server so they're guaranteed to be strong.

As a transition step, your master password will be able to login to all protocols via the "messagingengine.com" server names. At the same time, we'll be providing new per-protocol names eg imap.fastmail.com, caldav.fastmail.com, etc. These will only accept application passwords of the correct type.


The UI will show you the last time any second factor or app password was used, including IP address and location. You have the option to delete any of them when you please.


If you've previously set up alternative logins, some of them will continue to work until 31 August - specifically, SMS OTP, YubiKey 2-factor, TOTP (Google Authenticator) and Regular Password. These all require the associated base password instead of the "master" password and honour the "full access" setting (that is, will create "restricted" web session). These are not configurable through the new Password & Security settings screen, and no new ones can be created. They can be deleted through the old Alternative Logins screen. On 31 August they will cease to operate.

OTP, 1hr OTP, 1hr SMS OTP and YubiKey one-factor are not supported at all in the new system and will cease to function when the new system is deployed.


For Classic logins, you will be able to use TOTP and YubiKey OTP second factors. U2F is not available (due to the Javascript requirement) and SMS is not available (due to the need for a multi-stage login flow, which we're not planning to implement for Classic).The Password & Security screen is only available in the standard client; there's no similar screen in Classic. You only need to set that all up once though.


Restricted logins are not a part of the new authentication system (except for Alternative Logins during the transition period) because we've found that they don't actually protect against the most dangerous things a malicious person could do with access to an account, while being very inconvenient for normal usage.

A restricted login would not stop them reading all your personal information. It would not stop them emailing your friends and family pretending to be you and asking for money. It would not stop them from resetting your password at every other online service which is linked to your email. Preventing the permanent deletion of email is not even that useful, as our restore from backup service would allow you to restore this for up to 7 days afterwards anyway.

Meanwhile, the restrictions mean that normal operation can be painful – no ability to add or edit new contacts or calendar events, or quickly create a rule from a message for example.

This is why in the new system we have concentrated on making it easier to secure your account with two-step verification: the best way to stop an attacker gaining access to your account altogether. Two-step verification means that if you someone steals your password, they still won't have access to your account.


Almost all of this is optional though. If you only want to use your username & password, there's nothing you need to do. The rest you only need to add if you want it, and it pretty much all works the way you'd expect from any other service implementing two-factor auth.

I think that's everything. I'll try to answer specific questions and help with adjusting your workflow if I can, but I'm also pretty busy at the moment - I've got a major feature release to prepare for Do have a look at the blog if you haven't yet. The last three posts in particular have screenshots of the login screens at the second-factor stage, which might aid understanding.
robn is offline   Reply With Quote