Support for FIDO U2F authentication?

[NumberSix]

Is there any news about whether FM will support the FIDO U2F 2-factor authentication standard any time soon?

[BritTim]

I would also like to see this. I appreciate that browser support is coming slower than originally anticipated. I think Apple's desire to have their own proprietary security solutions rather than getting on board with the FIDO alliance has also slowed adoption. Nevertheless, U2F still looks technically the best authentication standard yet devised

[PON]

Agree. Upgraded my Yubikey long ago.

[ChinaLamb]

Quote:

Originally Posted by PON

Agree. Upgraded my Yubikey long ago.

Would love to see two factor as the only way to log in...

[NumberSix]

Quote:

Originally Posted by ChinaLamb

Would love to see two factor as the only way to log in...

I don't think they'll ever want to force people to have some kind of external device to do 2FA... (I, for instance, do not have a smartphone and hope not to have one for quite a while yet )... so there will always been some who resist, against their own best interests, but yes... in the long run we hope most of the world goes this way...

[ChinaLamb]

Quote:

Originally Posted by NumberSix

I don't think they'll ever want to force people to have some kind of external device to do 2FA... (I, for instance, do not have a smartphone and hope not to have one for quite a while yet )... so there will always been some who resist, against their own best interests, but yes... in the long run we hope most of the world goes this way...

No desire to force it on people that don't want it. No one means that. I just want my main password to force my account too have two factor. Not force everyone...

[NumberSix]

Quote:

Originally Posted by ChinaLamb

I just want my main password to force my account too have two factor. Not force everyone...

You mean your master password would require the 2nd factor, so that there's no way to login without the 2nd factor at all? What happens if you lose it?

[ChinaLamb]

Quote:

Originally Posted by NumberSix

You mean your master password would require the 2nd factor, so that there's no way to login without the 2nd factor at all? What happens if you lose it?

What happens if you lose your fastmail password? It's the same thing.

What you don't want is the ability of someone to call fast mail and use social engineering to get your password reset.

So two factor provides a host of options to reset, usually requiring a combination of backup email accounts and sms or other methods.

[NumberSix]

Quote:

Originally Posted by ChinaLamb

What happens if you lose your fastmail password? It's the same thing.

Weeelll... a physical token accidentally dropped into an industrial meat grinder is gone, whereas there are a variety of ways to safely backup a password in multiple locations.

Quote:

What you don't want is the ability of someone to call fast mail and use social engineering to get your password reset.

I wonder how much of a danger this really is. Do we know what FM's policy is for identity confirmation in such cases?

Edit: Found it. Looks like a very good set of security questions, but I guess not out of range for a determined social engineer, esp. one with the ability to look over your shoulder without causing you suspicion.

[danieldk]

Quote:

Originally Posted by NumberSix

Weeelll... a physical token accidentally dropped into an industrial meat grinder is gone, whereas there are a variety of ways to safely backup a password in multiple locations.

Most sites that support U2F allow you to associate multiple keys. Since keys cost very little, just associate a key that you store in a safe location.

(My wife an I have multiple keys for redundancy.)

[NumberSix]

Quote:

Originally Posted by danieldk

Most sites that support U2F allow you to associate multiple keys. Since keys cost very little, just associate a key that you store in a safe location.

So, you're saying that by having multiple tokens/keys, it would be ok (if FM were to allow it) to have no master p/w, but 2FA as the only possible way to login? I dunno.... the idea still makes me uncomfortable. Although a password can be snooped from the keyboard by a sufficiently clever person, a physical token could also be stolen by a s.c.p., and since the p/w that is used with the token is used often, it is perhaps more susceptible to being snooped. OTOH, someone expoiting a MITM attack against https (state actor, say ) could grab the master p/w fairly easily, whereas stealing a physical token requires quite a bit of highly sophisticated spying and physical intrusion capabilities, even for a state actor. So many possibilities to defend against

[ChinaLamb]

Quote:

Originally Posted by NumberSix

So, you're saying that by having multiple tokens/keys, it would be ok (if FM were to allow it) to have no master p/w, but 2FA as the only possible way to login? I dunno.... the idea still makes me uncomfortable. Although a password can be snooped from the keyboard by a sufficiently clever person, a physical token could also be stolen by a s.c.p., and since the p/w that is used with the token is used often, it is perhaps more susceptible to being snooped. OTOH, someone expoiting a MITM attack against https (state actor, say ) could grab the master p/w fairly easily, whereas stealing a physical token requires quite a bit of highly sophisticated spying and physical intrusion capabilities, even for a state actor. So many possibilities to defend against

No one would force you to use two factor authentication... HOWEVER, there are many of us that stake our careers, and our personal data on two factor security.

Everything I have now uses two factor, except for Fastmail...

And yes, it is easy to reset, if you lose your token, but not easy for someone who doesn't have access to the other parts of the key. Two factor = two parts of a key that have to work together.

Check out the way Google does two-factor. Very simple. There are apps you can load onto portable devices to provide a reset token, or there are other ways you can reset. But still, you need the other half of the key... no single piece of the key can open the door.

Please do not criticize two-factor and the security and how to reset, if you've never tried it. It is a VERY well thought out system...

[danieldk]

Quote:

Originally Posted by NumberSix

So, you're saying that by having multiple tokens/keys, it would be ok (if FM were to allow it) to have no master p/w, but 2FA as the only possible way to login?

Nope, I am advocating using a password plus U2F key. I was just arguing that in that constellation no harm is done when you lose a U2F key.

[jhollington]

Most sites that use app-based 2FA provide backup codes to be used in the event that the 2FA app or device is lost, so in a sense, these are the same as a static password. Further, I'm not convinced that 2FA is inherently any more social-engineering-proof than a single password.

If you call up any given provider, they should request enough authenticating information to verify your identify before resetting a password regardless of whether you're using 2FA or not. The only case in which 2FA would be of any use whatsoever is if you're dealing with a provider that outright refuses to reset anything at all under any circumstances, which I don't think is a realistic business model for most companies.

In my case, I've simply set an extremely long random password for my FastMail "Master" password which I never use except when it's absolutely required (which is really only when setting up other alternative logins). I've created another long randomized password for IMAP access from each of my devices, which is simply saved in the appropriate clients, so it's essentially just a pre-shared key. As long as you're using an IMAP client, there aren't really any other viable approaches anyway, as few if any IMAP apps support 2FA.

For web-based access, I use alternative logins that employ TOTP and SMS-based authentication methods, with varying security levels for each. IMHO, it's the web-based access that's the most likely attack vector anyway, particularly if you're regularly accessing your webmail from insecure locations.