|
FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc. |
|
Thread Tools |
3 Jan 2017, 02:19 AM | #1 |
Senior Member
Join Date: Jun 2016
Posts: 194
|
SMS as 2FA yet?
Question: Is it active yet or dissapeared?. In case someone lose the smartphone and is not using pendrives or other devices with 2FA.
Thanks. |
3 Jan 2017, 03:40 AM | #2 |
Essential Contributor
Join Date: Apr 2008
Posts: 371
|
It disappeared as part of FastMail's rollout of the new 2FA system last summer, and I'd guess that it's probably not coming back.... A post here by brong from the FastMail team suggests that it's pretty much known to be "awful for security" as well as reliability/deliverability.
|
3 Jan 2017, 09:36 AM | #3 |
Member
Join Date: Nov 2013
Posts: 61
|
Trust in SMS is a quick path to having your identity stolen 🕵
|
3 Jan 2017, 03:19 PM | #4 |
Senior Member
Join Date: Jun 2016
Posts: 194
|
Thank you both for your answers. Yes, I know itīs not safe, but itīs safer than nothing. So, if you are without a smartphone (or donīt want to use a smartphone anymore) and canīt use another device, then itīs better sms as 2FA than no 2FA. But I see that itīs not in FM anymore.
|
3 Jan 2017, 06:04 PM | #5 |
Member
Join Date: Nov 2013
Posts: 61
|
There are a few command line tools for generating time-based one-time passwords. There's no real magic to it, the codes are just generated from running a SHA1 algorithm on a secret string. A QR code is just a silly/inefficient way of communicating that secret string to an app, it's little different to copy/paste.
Have a google around and see what you're comfortable with using. |
3 Jan 2017, 06:48 PM | #6 |
The "e" in e-mail
Join Date: Jul 2002
Location: VK4
Posts: 2,995
|
Why would you say that, Banks here in Australia use sms to send a log in account password and so do the Government, surly if it was unsafe they would use some other method?
I would say the reason f/m don't want to use sms is the cost and reliability of phone companies. |
3 Jan 2017, 08:38 PM | #7 | |
Senior Member
Join Date: Jun 2016
Posts: 194
|
Quote:
|
|
3 Jan 2017, 08:39 PM | #8 | |
Senior Member
Join Date: Jun 2016
Posts: 194
|
Quote:
|
|
3 Jan 2017, 10:55 PM | #9 | |
Essential Contributor
Join Date: Apr 2008
Posts: 371
|
Quote:
The new 2FA system also supports only TOTP now for one-time passwords — either via a TOTP app like Google Authenticator or a Yubikey OTP device; the old static OTP lists that you could print are no more. Alternatively, you can also use the even more secure U2F method, assuming you have a U2F device and are using a browser (Google Chrome) that supports U2F. To be fair, though, I also sort of lied about SMS not being available — FastMail does provide SMS authentication as a backup situation in the event that you don't have access to your TOTP device or U2F key, but it's clearly intended to be more of a backup/recovery method than a primary authentication method, but technically speaking, it does work in about the same way; I think FastMail just makes it a "backup" method to steer people toward the more effective TOTP/U2F system. You can get an SMS code when logging in by clicking the Send a code to your backup phone number link at the bottom of the second-factor screen (this of course assumes you've added your phone number in the "Account Recovery" section in your FastMail "Password & Security" preferences. |
|
3 Jan 2017, 11:02 PM | #10 | |
Essential Contributor
Join Date: Apr 2008
Posts: 371
|
Quote:
The reality is that you're not going to get the vast majority of average users (probably 90% of the bank/Government user base) to fiddle with TOTP apps or buy U2F keys, so you're left with having to lower your security standards to the very lowest solution that pretty much every one of your clients has access to, and of course that's SMS, since almost everyone has a mobile phone these days. Again, better than not having a second factor at all, and a big part of any security model is buy-in and usability from the user base. Security that nobody is going to use is no better than no security at all. |
|
3 Jan 2017, 11:48 PM | #11 | |
Senior Member
Join Date: Jun 2016
Posts: 194
|
Thank you very much!, doubt resolved
Quote:
|
|
Thread Tools | |
|
|