EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 24 Jul 2016, 07:38 AM   #76
gardenweed
Cornerstone of the Community
 
Join Date: Jun 2008
Location: Perth
Posts: 664
Quote:
Originally Posted by amoebob View Post
....
After August, how do I login from untrusted computers without having to type my master password and without full access? The blog mentions alternative passwords for apps and protocols but not how I can obtain limited user access to the web interface.
The blog sent 22-July says:

Quote:
We will be supporting three different types:
  • TOTP (Time-Based One-Time Password)
  • FIDO U2F (Universal 2nd Factor from the Fast IDentity Online alliance); and
  • Yubico OTP (a proprietary one-time password scheme from Yubico).
And it also says in part of the TOTP section:

Quote:
Note: When you log in, you can choose to trust that computer, so you won't need to do the second step again every time you log in.
So my understanding is that 3 logins methods will be supported aft 31-Aug as bulleted above.
And that when using TOTP, you will be able to nominate a pc as trusted, and not have to use 2-factor after the initial login - I gather that the password will be saved.

I assume that all of these login types will be restricted access sessions, and that full access will be restricted the master password sessions.
gardenweed is offline   Reply With Quote
Old 24 Jul 2016, 10:03 AM   #77
Terry
The "e" in e-mail
 
Join Date: Jul 2002
Location: VK4
Posts: 2,995
I hope this may help a few people.

https://blog.fastmail.com/2016/07/18...n-more-secure/

https://blog.fastmail.com/
Terry is offline   Reply With Quote
Old 24 Jul 2016, 01:38 PM   #78
robn
Master of the @
 
Join Date: May 2012
Location: Melbourne, Australia
Posts: 1,007

Representative of:
Fastmail.fm
Quote:
Originally Posted by gardenweed View Post
So my understanding is that 3 logins methods will be supported aft 31-Aug as bulleted above.
And that when using TOTP, you will be able to nominate a pc as trusted, and not have to use 2-factor after the initial login - I gather that the password will be saved.

I assume that all of these login types will be restricted access sessions, and that full access will be restricted the master password sessions.

Ok, here's my attempt to clarify everything. This is all in the new documentation and you'll be guided through it in the UI, so no need to memorise this.

You have a "master" password. Just one. It's what you use to access your account via the web. It's a "full access" login (there's no such thng as "restricted" logins anymore, except during the transition period where existing "Alternative Logins" continue to work. I've written more about restricted logins below).

From the web interface, you can access the new "Password & Security" screen. This asks for your password before you can make any changes (the "master" password - you only have one).

Here, you can, if you choose, add and verify a recovery method - either an email address or SMS number. This will be used to help you recover your account should you ever lose access to it (lost password and/or second factors).

Once you've added a recovery method you can, if you choose, add second factor options to your account - U2F, TOTP (ie "Google Authenticator") or old-style YubiKey OTP. You can add as many of these as you like.

Once you add second factors, you will be required to use a second factor along with your password (the "master" password) during web login. When you use your second factor, you will be offered the option to trust the current device. If you take this option, you will NOT be asked for a second factor the next time you login from the current device (actually browser; it's tracked with a cookie).

If you have added an SMS recovery option and a U2F, TOTP or YubiKey OTP second factor, you will also be offered the option to use a code sent to your phone as your second factor during login.


There are options in the Password & Settings UI to remove trust for the current device or for ALL devices. Removing trust simply means that you will be asked for a second factor at login again. You can also individually logout web sessions, just as you can now.


For non-web logins (any IMAP/CalDAV/CardDAV/SMTP/LDAP/FTP clients), you create app passwords. When creating, you specifiy which protocols the password will be valid for. The idea is that you'll create a single password for every app you use. The passwords are generated by the server so they're guaranteed to be strong.

As a transition step, your master password will be able to login to all protocols via the "messagingengine.com" server names. At the same time, we'll be providing new per-protocol names eg imap.fastmail.com, caldav.fastmail.com, etc. These will only accept application passwords of the correct type.


The UI will show you the last time any second factor or app password was used, including IP address and location. You have the option to delete any of them when you please.


If you've previously set up alternative logins, some of them will continue to work until 31 August - specifically, SMS OTP, YubiKey 2-factor, TOTP (Google Authenticator) and Regular Password. These all require the associated base password instead of the "master" password and honour the "full access" setting (that is, will create "restricted" web session). These are not configurable through the new Password & Security settings screen, and no new ones can be created. They can be deleted through the old Alternative Logins screen. On 31 August they will cease to operate.

OTP, 1hr OTP, 1hr SMS OTP and YubiKey one-factor are not supported at all in the new system and will cease to function when the new system is deployed.


For Classic logins, you will be able to use TOTP and YubiKey OTP second factors. U2F is not available (due to the Javascript requirement) and SMS is not available (due to the need for a multi-stage login flow, which we're not planning to implement for Classic).The Password & Security screen is only available in the standard client; there's no similar screen in Classic. You only need to set that all up once though.


Restricted logins are not a part of the new authentication system (except for Alternative Logins during the transition period) because we've found that they don't actually protect against the most dangerous things a malicious person could do with access to an account, while being very inconvenient for normal usage.

A restricted login would not stop them reading all your personal information. It would not stop them emailing your friends and family pretending to be you and asking for money. It would not stop them from resetting your password at every other online service which is linked to your email. Preventing the permanent deletion of email is not even that useful, as our restore from backup service would allow you to restore this for up to 7 days afterwards anyway.

Meanwhile, the restrictions mean that normal operation can be painful – no ability to add or edit new contacts or calendar events, or quickly create a rule from a message for example.

This is why in the new system we have concentrated on making it easier to secure your account with two-step verification: the best way to stop an attacker gaining access to your account altogether. Two-step verification means that if you someone steals your password, they still won't have access to your account.


Almost all of this is optional though. If you only want to use your username & password, there's nothing you need to do. The rest you only need to add if you want it, and it pretty much all works the way you'd expect from any other service implementing two-factor auth.

I think that's everything. I'll try to answer specific questions and help with adjusting your workflow if I can, but I'm also pretty busy at the moment - I've got a major feature release to prepare for Do have a look at the blog if you haven't yet. The last three posts in particular have screenshots of the login screens at the second-factor stage, which might aid understanding.
robn is offline   Reply With Quote
Old 24 Jul 2016, 02:31 PM   #79
nighthawk700
Essential Contributor
 
Join Date: Oct 2004
Location: Baltimore, MD Suburbs (US)
Posts: 237
Quote:
Originally Posted by robn View Post
Ok, here's my attempt to clarify everything.

Restricted logins are not a part of the new authentication system (except for Alternative Logins during the transition period) because we've found that they don't actually protect against the most dangerous things a malicious person could do with access to an account, while being very inconvenient for normal usage.
Well, this will kill the reason I got my kids Fastmail accounts in a family account. I set up filters in their accounts so I get a copy of every email they send and receive so I can monitor their usage, then give them the restrictive password while I keep the master so they can't monkey around with the filters. I chose to do that rather than one of the "kids email services" since it seemed to be about the same functionality at a better cost and hey, they get to use my email domain name too. Sounds like after Aug I'll have to give them the master password to the account, and will have to trust they won't monkey around with the filters. (they are pretty bright about things like that).

(and it looks like the new security features won't work for me anyway... in my workplace I can't bring in a cell phone, nor insert a USB device. The parking lot is too far to run in and jump on my computer in the 60 second or so window discussed.)

Back to the drawing board. PROGRESS!! ;-)
nighthawk700 is offline   Reply With Quote
Old 24 Jul 2016, 02:54 PM   #80
Terry
The "e" in e-mail
 
Join Date: Jul 2002
Location: VK4
Posts: 2,995
Thanks Rob for pointing out this part, I feel at lot happier now and I'm sure a lot other people will as well....


Almost all of this is optional though. If you only want to use your username & password, there's nothing you need to do. The rest you only need to add if you want it, and it pretty much all works the way you'd expect from any other service implementing two-factor auth.
Terry is offline   Reply With Quote
Old 24 Jul 2016, 02:55 PM   #81
BritTim
The "e" in e-mail
 
Join Date: May 2003
Location: mostly in Thailand
Posts: 3,084
This whole thread confirms something I have believed for some time now. Fastmail staff are smart, but many of them also believe they know user requirements without any consultation. This leads to user dissatisfaction when features are removed or changed without any prior discussion. Fastmail was not always like this. One of the things that attracted me to the service in the Jeremy Howard era was its recognition of the value of partnering with its users rather than dictating what they should have.

For the most part, the new security scheme is excellent, and will work well for most of us. However, with some discussion, the value of a continued restricted web access option would have been clear. If it was still killed, it at least would have been based on a fuller understanding of the costs and benefits involved. With prior consultation, those affected would (I believe) while not happy about removed features, have been more willing to accept that their views were at least carefully considered.
BritTim is offline   Reply With Quote
Old 24 Jul 2016, 03:32 PM   #82
David
Ultimate Contributor
 
Join Date: Dec 2001
Location: Canada.
Posts: 10,355
Quote:
Originally Posted by BritTim View Post
This whole thread confirms something I have believed for some time now. Fastmail staff are smart, but many of them also believe they know user requirements without any consultation. This leads to user dissatisfaction when features are removed or changed without any prior discussion. Fastmail was not always like this. One of the things that attracted me to the service in the Jeremy Howard era was its recognition of the value of partnering with its users rather than dictating what they should have.
Yes: it is true BritTim, for sure. I do hope that Jeremy will return soon
David is offline   Reply With Quote
Old 24 Jul 2016, 05:55 PM   #83
rharha
Senior Member
 
Join Date: Oct 2013
Posts: 100
I was grousing that account recovery would be possible with one factor but was wrong. Just read that you also need a second factor in that case. Very cool. Looking forward to tomorrow.

https://blog.fastmail.com/2016/07/21...-reset-secure/

Last edited by rharha : 24 Jul 2016 at 06:38 PM.
rharha is offline   Reply With Quote
Old 24 Jul 2016, 06:14 PM   #84
FredOnline
The "e" in e-mail
 
Join Date: Apr 2011
Location: Manchester UK
Posts: 2,616
I'm guessing that the new changes will be like manna from heaven for the Fastmail phishermen.
FredOnline is offline   Reply With Quote
Old 24 Jul 2016, 06:30 PM   #85
rharha
Senior Member
 
Join Date: Oct 2013
Posts: 100
Quote:
Originally Posted by FredOnline View Post
I'm guessing that the new changes will be like manna from heaven for the Fastmail phishermen.
Why that? 2FA secures you against someone logging in just with your pw. The changes are especially great for people prone to phishing.
rharha is offline   Reply With Quote
Old 24 Jul 2016, 06:36 PM   #86
robn
Master of the @
 
Join Date: May 2012
Location: Melbourne, Australia
Posts: 1,007

Representative of:
Fastmail.fm
Quote:
Originally Posted by rharha View Post
That sounds as if you can reset your password with just one factor (alt mail or phone number).
Not so. I didn't describe the recovery process at all, other than to say the backup email/phone "will be used to help you recover your account". It's part of the recovery process. It's not the only part.
robn is offline   Reply With Quote
Old 24 Jul 2016, 06:46 PM   #87
rharha
Senior Member
 
Join Date: Oct 2013
Posts: 100
I know - was fantasising. Just read the blog post.
rharha is offline   Reply With Quote
Old 24 Jul 2016, 06:51 PM   #88
FredOnline
The "e" in e-mail
 
Join Date: Apr 2011
Location: Manchester UK
Posts: 2,616
Quote:
Originally Posted by rharha View Post
Why that? 2FA secures you against someone logging in just with your pw.
And how does that stop phishing attempts?
FredOnline is offline   Reply With Quote
Old 24 Jul 2016, 06:54 PM   #89
rharha
Senior Member
 
Join Date: Oct 2013
Posts: 100
Quote:
Originally Posted by FredOnline View Post
And how does that stop phishing attempts?
Of course it doesn't stop attempts but attempts will likely remain attempts. A phisher can only get your pw but not your phone.

Edit: If a phisher sets up a fake website where you have to enter the TOTP and you do that, he can also get in your account during the minute that TOTP is valid. Changed passwords can now be reversed for 24 h, though. All very well thought out by FM.

Last edited by rharha : 24 Jul 2016 at 07:03 PM.
rharha is offline   Reply With Quote
Old 24 Jul 2016, 07:26 PM   #90
gardenweed
Cornerstone of the Community
 
Join Date: Jun 2008
Location: Perth
Posts: 664
Quote:
Originally Posted by robn View Post
Ok, here's my attempt to clarify everything. ....
Thanks for the detailed explanation Rob.

So if choosing to go with one of the 2 factor options, what are the recommendations regarding creation of the 'master' password, ie the 1st factor?
I can see that I would want it to be easily memorised/recalled.
Are there some guidelines for best practice here?
gardenweed is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 04:41 PM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy