|
FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc. |
|
Thread Tools |
23 Apr 2016, 01:29 PM | #1 |
Cornerstone of the Community
Join Date: Jan 2003
Location: The Village
Posts: 605
|
Support for FIDO U2F authentication?
Is there any news about whether FM will support the FIDO U2F 2-factor authentication standard any time soon?
|
23 Apr 2016, 02:59 PM | #2 |
The "e" in e-mail
Join Date: May 2003
Location: mostly in Thailand
Posts: 3,090
|
I would also like to see this. I appreciate that browser support is coming slower than originally anticipated. I think Apple's desire to have their own proprietary security solutions rather than getting on board with the FIDO alliance has also slowed adoption. Nevertheless, U2F still looks technically the best authentication standard yet devised
|
29 Apr 2016, 07:39 PM | #3 |
Essential Contributor
Join Date: Mar 2002
Location: Wicklow, Ireland
Posts: 449
|
Agree. Upgraded my Yubikey long ago.
|
29 Apr 2016, 07:50 PM | #4 |
The "e" in e-mail
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
|
|
1 May 2016, 08:11 AM | #5 |
Cornerstone of the Community
Join Date: Jan 2003
Location: The Village
Posts: 605
|
I don't think they'll ever want to force people to have some kind of external device to do 2FA... (I, for instance, do not have a smartphone and hope not to have one for quite a while yet )... so there will always been some who resist, against their own best interests, but yes... in the long run we hope most of the world goes this way...
|
1 May 2016, 09:32 AM | #6 | |
The "e" in e-mail
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
|
Quote:
|
|
2 May 2016, 09:24 AM | #7 |
Cornerstone of the Community
Join Date: Jan 2003
Location: The Village
Posts: 605
|
|
2 May 2016, 01:02 PM | #8 | |
The "e" in e-mail
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
|
Quote:
What you don't want is the ability of someone to call fast mail and use social engineering to get your password reset. So two factor provides a host of options to reset, usually requiring a combination of backup email accounts and sms or other methods. |
|
3 May 2016, 08:26 AM | #9 | ||
Cornerstone of the Community
Join Date: Jan 2003
Location: The Village
Posts: 605
|
Quote:
Quote:
Edit: Found it. Looks like a very good set of security questions, but I guess not out of range for a determined social engineer, esp. one with the ability to look over your shoulder without causing you suspicion. Last edited by NumberSix : 3 May 2016 at 01:43 PM. |
||
14 May 2016, 02:17 PM | #10 | |
Essential Contributor
Join Date: Mar 2014
Posts: 212
|
Quote:
(My wife an I have multiple keys for redundancy.) |
|
15 May 2016, 04:46 PM | #11 |
Cornerstone of the Community
Join Date: Jan 2003
Location: The Village
Posts: 605
|
So, you're saying that by having multiple tokens/keys, it would be ok (if FM were to allow it) to have no master p/w, but 2FA as the only possible way to login? I dunno.... the idea still makes me uncomfortable. Although a password can be snooped from the keyboard by a sufficiently clever person, a physical token could also be stolen by a s.c.p., and since the p/w that is used with the token is used often, it is perhaps more susceptible to being snooped. OTOH, someone expoiting a MITM attack against https (state actor, say ) could grab the master p/w fairly easily, whereas stealing a physical token requires quite a bit of highly sophisticated spying and physical intrusion capabilities, even for a state actor. So many possibilities to defend against
|
16 May 2016, 08:11 AM | #12 | |
The "e" in e-mail
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
|
Quote:
Everything I have now uses two factor, except for Fastmail... And yes, it is easy to reset, if you lose your token, but not easy for someone who doesn't have access to the other parts of the key. Two factor = two parts of a key that have to work together. Check out the way Google does two-factor. Very simple. There are apps you can load onto portable devices to provide a reset token, or there are other ways you can reset. But still, you need the other half of the key... no single piece of the key can open the door. Please do not criticize two-factor and the security and how to reset, if you've never tried it. It is a VERY well thought out system... |
|
16 May 2016, 05:08 PM | #13 |
Essential Contributor
Join Date: Mar 2014
Posts: 212
|
Nope, I am advocating using a password plus U2F key. I was just arguing that in that constellation no harm is done when you lose a U2F key.
|
18 May 2016, 01:51 AM | #14 |
Essential Contributor
Join Date: Apr 2008
Posts: 371
|
Most sites that use app-based 2FA provide backup codes to be used in the event that the 2FA app or device is lost, so in a sense, these are the same as a static password. Further, I'm not convinced that 2FA is inherently any more social-engineering-proof than a single password.
If you call up any given provider, they should request enough authenticating information to verify your identify before resetting a password regardless of whether you're using 2FA or not. The only case in which 2FA would be of any use whatsoever is if you're dealing with a provider that outright refuses to reset anything at all under any circumstances, which I don't think is a realistic business model for most companies. In my case, I've simply set an extremely long random password for my FastMail "Master" password which I never use except when it's absolutely required (which is really only when setting up other alternative logins). I've created another long randomized password for IMAP access from each of my devices, which is simply saved in the appropriate clients, so it's essentially just a pre-shared key. As long as you're using an IMAP client, there aren't really any other viable approaches anyway, as few if any IMAP apps support 2FA. For web-based access, I use alternative logins that employ TOTP and SMS-based authentication methods, with varying security levels for each. IMHO, it's the web-based access that's the most likely attack vector anyway, particularly if you're regularly accessing your webmail from insecure locations. |