EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 31 Jul 2016, 04:47 PM   #226
FredOnline
The "e" in e-mail
 
Join Date: Apr 2011
Location: Manchester UK
Posts: 2,616
Quote:
Originally Posted by easemail View Post
When I go to the security screen it shows me all the ways to do account recovery. If I step away from my computer and somebody navigates to that page, they now know various attack vectors to get my account.

Why not just let account recovery information just be shown AFTER you enter a master password on that screen?
And what if you step away from your computer AFTER you had entered your master password?
FredOnline is offline   Reply With Quote
Old 31 Jul 2016, 04:48 PM   #227
hadaso
The "e" in e-mail
 
Join Date: Oct 2002
Location: Holon, Israel.
Posts: 4,799
Quote:
Originally Posted by JamesHenderson View Post
...can you use a client that requires one of the new app passwords (which you cannot use to logon to the web interface and hence keep your settings secure)?
Only web access. None of the email protocols (IMAP/POP/SMTP) is allowed through the firewall.
hadaso is offline   Reply With Quote
Old 31 Jul 2016, 07:01 PM   #228
edu
Senior Member
 
Join Date: Jun 2016
Posts: 194
Maybe it's out of this thread, but... have you thought to use ssh tunneling to bypass that company?, or maybe you can't risk to do that. Example: identitycloaker.com (you don't need admin rights).
edu is offline   Reply With Quote
Old 31 Jul 2016, 07:07 PM   #229
janusz
The "e" in e-mail
 
Join Date: Feb 2006
Location: EU
Posts: 4,933
Quote:
Originally Posted by edu View Post
: identitycloaker.com (you don't need admin rights).
Correct, you don't. That's because you cannot access the site:
Quote:
You don't have permission to access /amember/signup.php on this server.
janusz is offline   Reply With Quote
Old 31 Jul 2016, 07:10 PM   #230
edu
Senior Member
 
Join Date: Jun 2016
Posts: 194
Quote:
Originally Posted by janusz View Post
Correct, you don't. That's because you cannot access the site:
It must be your computer or dns. It works.
edu is offline   Reply With Quote
Old 3 Aug 2016, 07:43 AM   #231
hadaso
The "e" in e-mail
 
Join Date: Oct 2002
Location: Holon, Israel.
Posts: 4,799
Quote:
Originally Posted by hadaso View Post
...
What I'd like to see is that in addition to SMS, TOTP, U2F and YubiKey OTP, the "Set up Two-Step Verification" section would have an additional option of "Print list of OTPs". then this would be used just like the TOTP option (after the username and master password are entered, a prompt for and additional unused password from the list, or 3 fields in the login screen, for username, main password and OTP in the classic login page).

This shouldn't be too difficult to implement.
Today I saw that Gmail (that is, Google accounts) has this. They call it "Backup codes" and sugests that their users have these as a backup method for when they don't have their phone or security key (they are not recovery codes).

Last edited by hadaso : 3 Aug 2016 at 07:54 AM.
hadaso is offline   Reply With Quote
Old 7 Aug 2016, 08:23 PM   #232
17pm
Cornerstone of the Community
 
Join Date: Sep 2013
Posts: 536
Not sure if this belongs in this thread, but I'll ask here:

Now that yubikey seems to be going the closed-source way, I'm looking for alternatives. I came across Nitrokey. Does fastmaill support nitrokey's OTP?
17pm is offline   Reply With Quote
Old 7 Aug 2016, 08:26 PM   #233
robn
Master of the @
 
Join Date: May 2012
Location: Melbourne, Australia
Posts: 1,007

Representative of:
Fastmail.fm
Quote:
Originally Posted by 17pm View Post
Now that yubikey seems to be going the closed-source way, I'm looking for alternatives. I came across Nitrokey. Does fastmaill support nitrokey's OTP?
Nitrokey claims to support TOTP, which we support. I've not tested it, but I see no reason why it wouldn't work if their claim is true.

I have tested Nitrokey's U2F against FastMail, and that does work.
robn is offline   Reply With Quote
Old 7 Aug 2016, 09:56 PM   #234
walesrob
Essential Contributor
 
Join Date: Dec 2006
Location: UK
Posts: 392
Quote:
Originally Posted by hadaso View Post
Today I saw that Gmail (that is, Google accounts) has this. They call it "Backup codes" and sugests that their users have these as a backup method for when they don't have their phone or security key (they are not recovery codes).
Something I think would be a great idea, especially if one goes travelling and loses a mobile device or doesn't have a mobile signal. How about it Fastmail?
walesrob is offline   Reply With Quote
Old 7 Aug 2016, 10:14 PM   #235
17pm
Cornerstone of the Community
 
Join Date: Sep 2013
Posts: 536
Quote:
Originally Posted by robn View Post
Nitrokey claims to support TOTP, which we support. I've not tested it, but I see no reason why it wouldn't work if their claim is true.

I have tested Nitrokey's U2F against FastMail, and that does work.
You should buy a nitrokey and test it ;D
17pm is offline   Reply With Quote
Old 8 Aug 2016, 08:29 AM   #236
BritTim
The "e" in e-mail
 
Join Date: May 2003
Location: mostly in Thailand
Posts: 3,084
The unfortunate decision to eliminate alternative passwords for web logins, requiring use of the master password, among other things introduces the following exposure:
  • Being security conscious, I require 2-factor authentication for web log ins. This protects me well when an attacker is kind enough not to use IMAP.
  • My master password is compromised (not too surprising when I am required to use it everywhere on a daily basis).
  • An attacker can now just set up an IMAP connection using mail.messagingengine.com and my master password with no second factor required for access.
One solution to this would be to insist that application passwords always be used by everyone for IMAP access. Please do not do that! The best solution would be web only alternative passwords. I am guessing Fastmail will refuse to do that. The next best option is an opt-in, non default, but recommended option Require Application Passwords that would prevent IMAP use with the master password.
BritTim is offline   Reply With Quote
Old 8 Aug 2016, 09:37 AM   #237
DumbGuy
Essential Contributor
 
Join Date: Oct 2008
Posts: 212
I too don't like this business of always having to use my master pw to login (from what I read, as I haven't yet switched over to the new authentication system, and will use alt logins for another 1-2 weeks).

Having printed "backup codes" would be a great idea, as it allows for a 2FA login option that doesn't rely on a physical device. (I can even memorize a backup code for emergency use.)

I think the alternative logins system at FM was one of its top security features and biggest selling points for those who wanted to be particularly security conscious with granular login options, and I'm sad to see it go.
DumbGuy is offline   Reply With Quote
Old 8 Aug 2016, 09:39 AM   #238
NumberSix
Cornerstone of the Community
 
Join Date: Jan 2003
Location: The Village
Posts: 599
Quote:
Originally Posted by BritTim View Post
[*]An attacker can now just set up an IMAP connection using mail.messagingengine.com and my master password with no second factor required for access.
I had thought there was a setting to disable IMAP and POP access entirely (and that I had set it that way), but when I looked again just now, I can't find it. So... this means an attacker could use IMAP as an access vector even though I never use IMAP myself, right?

Quote:
The best solution would be web only alternative passwords. I am guessing Fastmail will refuse to do that.
+1
The idea of using my master password with my 2FA token on a daily basis makes me very uncomfortable. To begin with, it means I will change it to be much shorter, because I don't want to type something long and complex each time I login.

For me, having a short p/w to use with the token, and a very long, complex master p/w, which can be used alone, which I've memorized, and which is only used for settings changes and the rare case when I've gone to work forgetting my token at home, is the ideal way to organize my security.
NumberSix is offline   Reply With Quote
Old 8 Aug 2016, 10:12 AM   #239
Terry
The "e" in e-mail
 
Join Date: Jul 2002
Location: VK4
Posts: 2,995
Quote:
Originally Posted by NumberSix View Post
I had thought there was a setting to disable IMAP and POP access entirely (and that I had set it that way), but when I looked again just now, I can't find it. So... this means an attacker could use IMAP as an access vector even though I never use IMAP myself, right?
Looks like it's been removed and nothing in the old classic either.
Terry is offline   Reply With Quote
Old 8 Aug 2016, 10:21 AM   #240
dgcom
Junior Member
 
Join Date: Jan 2010
Location: US, New Jersey
Posts: 22
Haven't been on this forum for 4 years as well (last login is Nov 2012), so I guess - there was some other major change going on at that time...

Just spent lots of time reading this thread in hope to find a solution for disappearing alternative logins...
This is just sad - I been using them for quite some time already and like the ability to have restricted web access and password I can kill when I need.
I used the X-Notifier plig-in in Firefox with separate password per computer (see that past tense? that's because it also stopped working and that's how I found out about the changes...) - I had several of my computers setup with different restricted login passwords for X-notifier. It stores password locally, so if computer gets compromised, I can always quickly disable that password.

Now I am loosing the above setup - not only X-Notifier is not working (which can be fixed), but I'd also have to save my master password in it, which is not secure...
dgcom is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 04:08 PM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy