|
FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc. |
|
Thread Tools |
24 Jul 2016, 07:38 AM | #76 | |||
Cornerstone of the Community
Join Date: Jun 2008
Location: Perth
Posts: 664
|
Quote:
Quote:
Quote:
And that when using TOTP, you will be able to nominate a pc as trusted, and not have to use 2-factor after the initial login - I gather that the password will be saved. I assume that all of these login types will be restricted access sessions, and that full access will be restricted the master password sessions. |
|||
24 Jul 2016, 10:03 AM | #77 |
The "e" in e-mail
Join Date: Jul 2002
Location: VK4
Posts: 2,995
|
I hope this may help a few people.
https://blog.fastmail.com/2016/07/18...n-more-secure/ https://blog.fastmail.com/ |
24 Jul 2016, 01:38 PM | #78 | |
Master of the @
Join Date: May 2012
Location: Melbourne, Australia
Posts: 1,007
Representative of:
Fastmail.fm |
Quote:
Ok, here's my attempt to clarify everything. This is all in the new documentation and you'll be guided through it in the UI, so no need to memorise this. You have a "master" password. Just one. It's what you use to access your account via the web. It's a "full access" login (there's no such thng as "restricted" logins anymore, except during the transition period where existing "Alternative Logins" continue to work. I've written more about restricted logins below). From the web interface, you can access the new "Password & Security" screen. This asks for your password before you can make any changes (the "master" password - you only have one). Here, you can, if you choose, add and verify a recovery method - either an email address or SMS number. This will be used to help you recover your account should you ever lose access to it (lost password and/or second factors). Once you've added a recovery method you can, if you choose, add second factor options to your account - U2F, TOTP (ie "Google Authenticator") or old-style YubiKey OTP. You can add as many of these as you like. Once you add second factors, you will be required to use a second factor along with your password (the "master" password) during web login. When you use your second factor, you will be offered the option to trust the current device. If you take this option, you will NOT be asked for a second factor the next time you login from the current device (actually browser; it's tracked with a cookie). If you have added an SMS recovery option and a U2F, TOTP or YubiKey OTP second factor, you will also be offered the option to use a code sent to your phone as your second factor during login. There are options in the Password & Settings UI to remove trust for the current device or for ALL devices. Removing trust simply means that you will be asked for a second factor at login again. You can also individually logout web sessions, just as you can now. For non-web logins (any IMAP/CalDAV/CardDAV/SMTP/LDAP/FTP clients), you create app passwords. When creating, you specifiy which protocols the password will be valid for. The idea is that you'll create a single password for every app you use. The passwords are generated by the server so they're guaranteed to be strong. As a transition step, your master password will be able to login to all protocols via the "messagingengine.com" server names. At the same time, we'll be providing new per-protocol names eg imap.fastmail.com, caldav.fastmail.com, etc. These will only accept application passwords of the correct type. The UI will show you the last time any second factor or app password was used, including IP address and location. You have the option to delete any of them when you please. If you've previously set up alternative logins, some of them will continue to work until 31 August - specifically, SMS OTP, YubiKey 2-factor, TOTP (Google Authenticator) and Regular Password. These all require the associated base password instead of the "master" password and honour the "full access" setting (that is, will create "restricted" web session). These are not configurable through the new Password & Security settings screen, and no new ones can be created. They can be deleted through the old Alternative Logins screen. On 31 August they will cease to operate. OTP, 1hr OTP, 1hr SMS OTP and YubiKey one-factor are not supported at all in the new system and will cease to function when the new system is deployed. For Classic logins, you will be able to use TOTP and YubiKey OTP second factors. U2F is not available (due to the Javascript requirement) and SMS is not available (due to the need for a multi-stage login flow, which we're not planning to implement for Classic).The Password & Security screen is only available in the standard client; there's no similar screen in Classic. You only need to set that all up once though. Restricted logins are not a part of the new authentication system (except for Alternative Logins during the transition period) because we've found that they don't actually protect against the most dangerous things a malicious person could do with access to an account, while being very inconvenient for normal usage. A restricted login would not stop them reading all your personal information. It would not stop them emailing your friends and family pretending to be you and asking for money. It would not stop them from resetting your password at every other online service which is linked to your email. Preventing the permanent deletion of email is not even that useful, as our restore from backup service would allow you to restore this for up to 7 days afterwards anyway. Meanwhile, the restrictions mean that normal operation can be painful – no ability to add or edit new contacts or calendar events, or quickly create a rule from a message for example. This is why in the new system we have concentrated on making it easier to secure your account with two-step verification: the best way to stop an attacker gaining access to your account altogether. Two-step verification means that if you someone steals your password, they still won't have access to your account. Almost all of this is optional though. If you only want to use your username & password, there's nothing you need to do. The rest you only need to add if you want it, and it pretty much all works the way you'd expect from any other service implementing two-factor auth. I think that's everything. I'll try to answer specific questions and help with adjusting your workflow if I can, but I'm also pretty busy at the moment - I've got a major feature release to prepare for Do have a look at the blog if you haven't yet. The last three posts in particular have screenshots of the login screens at the second-factor stage, which might aid understanding. |
|
24 Jul 2016, 02:31 PM | #79 | |
Essential Contributor
Join Date: Oct 2004
Location: Baltimore, MD Suburbs (US)
Posts: 237
|
Quote:
(and it looks like the new security features won't work for me anyway... in my workplace I can't bring in a cell phone, nor insert a USB device. The parking lot is too far to run in and jump on my computer in the 60 second or so window discussed.) Back to the drawing board. PROGRESS!! ;-) |
|
24 Jul 2016, 02:54 PM | #80 |
The "e" in e-mail
Join Date: Jul 2002
Location: VK4
Posts: 2,995
|
Thanks Rob for pointing out this part, I feel at lot happier now and I'm sure a lot other people will as well....
Almost all of this is optional though. If you only want to use your username & password, there's nothing you need to do. The rest you only need to add if you want it, and it pretty much all works the way you'd expect from any other service implementing two-factor auth. |
24 Jul 2016, 02:55 PM | #81 |
The "e" in e-mail
Join Date: May 2003
Location: mostly in Thailand
Posts: 3,084
|
This whole thread confirms something I have believed for some time now. Fastmail staff are smart, but many of them also believe they know user requirements without any consultation. This leads to user dissatisfaction when features are removed or changed without any prior discussion. Fastmail was not always like this. One of the things that attracted me to the service in the Jeremy Howard era was its recognition of the value of partnering with its users rather than dictating what they should have.
For the most part, the new security scheme is excellent, and will work well for most of us. However, with some discussion, the value of a continued restricted web access option would have been clear. If it was still killed, it at least would have been based on a fuller understanding of the costs and benefits involved. With prior consultation, those affected would (I believe) while not happy about removed features, have been more willing to accept that their views were at least carefully considered. |
24 Jul 2016, 03:32 PM | #82 | |
Ultimate Contributor
Join Date: Dec 2001
Location: Canada.
Posts: 10,355
|
Quote:
|
|
24 Jul 2016, 05:55 PM | #83 |
Senior Member
Join Date: Oct 2013
Posts: 100
|
I was grousing that account recovery would be possible with one factor but was wrong. Just read that you also need a second factor in that case. Very cool. Looking forward to tomorrow.
https://blog.fastmail.com/2016/07/21...-reset-secure/ Last edited by rharha : 24 Jul 2016 at 06:38 PM. |
24 Jul 2016, 06:14 PM | #84 |
The "e" in e-mail
Join Date: Apr 2011
Location: Manchester UK
Posts: 2,616
|
I'm guessing that the new changes will be like manna from heaven for the Fastmail phishermen.
|
24 Jul 2016, 06:30 PM | #85 |
Senior Member
Join Date: Oct 2013
Posts: 100
|
|
24 Jul 2016, 06:36 PM | #86 |
Master of the @
Join Date: May 2012
Location: Melbourne, Australia
Posts: 1,007
Representative of:
Fastmail.fm |
Not so. I didn't describe the recovery process at all, other than to say the backup email/phone "will be used to help you recover your account". It's part of the recovery process. It's not the only part.
|
24 Jul 2016, 06:46 PM | #87 |
Senior Member
Join Date: Oct 2013
Posts: 100
|
I know - was fantasising. Just read the blog post.
|
24 Jul 2016, 06:51 PM | #88 |
The "e" in e-mail
Join Date: Apr 2011
Location: Manchester UK
Posts: 2,616
|
|
24 Jul 2016, 06:54 PM | #89 |
Senior Member
Join Date: Oct 2013
Posts: 100
|
Of course it doesn't stop attempts but attempts will likely remain attempts. A phisher can only get your pw but not your phone.
Edit: If a phisher sets up a fake website where you have to enter the TOTP and you do that, he can also get in your account during the minute that TOTP is valid. Changed passwords can now be reversed for 24 h, though. All very well thought out by FM. Last edited by rharha : 24 Jul 2016 at 07:03 PM. |
24 Jul 2016, 07:26 PM | #90 |
Cornerstone of the Community
Join Date: Jun 2008
Location: Perth
Posts: 664
|
Thanks for the detailed explanation Rob.
So if choosing to go with one of the 2 factor options, what are the recommendations regarding creation of the 'master' password, ie the 1st factor? I can see that I would want it to be easily memorised/recalled. Are there some guidelines for best practice here? |
Thread Tools | |
|
|