EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 10 Jan 2021, 05:22 PM   #16
hadaso
The "e" in e-mail
 
Join Date: Oct 2002
Location: Holon, Israel.
Posts: 4,799
Quote:
Originally Posted by NumberSix View Post
.... If you think about it, it would be a pretty useless security technology if it required you to carry around a separate token for every site that you use (and remember which is which!)
Actually that's what we're all used to: I carry separate "security keys" to open my front door, and to open my office, and for each car, and then a separate remote to open each car,and a key to disable the alarm for each car, and a remote for the garage door, and a key for my post office box, and another one for my mother in law's post office box, and some more. Theoretically they could all use the same device that can be planted under my skin.

Quote:
Final bit of advice I use a "mini S-biner" to attach mine to my keyring... allows it to go on and off the ring very easily for use. Highly recommended! You can probably find them at your local home improvement/hardware store.
Actually I spent quite a lot of money on trying different solutions to losing keys and lots more money on replacing lost keys and remotes). I now use something like these that I got at a local hardware store. They're quite unlikely to detach spontaneously as they require pushing in and simultaneously pulling out.
hadaso is offline   Reply With Quote
Old 10 Jan 2021, 08:38 PM   #17
TenFour
Master of the @
 
Join Date: Feb 2017
Location: USA
Posts: 1,683
I just remembered one of the huge problems with smartphone authenticator apps after I dropped my phone in some water and it wasn't working properly for a few days. Big problem getting 2FA codes! No matter what method you use, be sure to have alternate methods set up!
TenFour is offline   Reply With Quote
Old 10 Jan 2021, 10:55 PM   #18
JeremyNicoll
Essential Contributor
 
Join Date: Dec 2017
Location: Scotland
Posts: 483
Quote:
Originally Posted by TenFour View Post
No matter what method you use, be sure to have alternate methods set up!
And, I'd suggest, test the alternates still work... maybe once per month?
JeremyNicoll is offline   Reply With Quote
Old 10 Jan 2021, 10:59 PM   #19
TenFour
Master of the @
 
Join Date: Feb 2017
Location: USA
Posts: 1,683
Quote:
And, I'd suggest, test the alternates still work... maybe once per month?
Good point! I remember once I was checking my Gmail security settings for some reason and I discovered that somehow my one-time codes had been changed from the ones I had saved. I can only think that I must have turned off 2FA at some point then turned it back on, which reset the codes. A big issue I have encountered is when you change phone numbers for some reason--it can be difficult and time consuming to update your phone number with some services. Same with email addresses. For some reason no matter what I do my utility provider sends important messages to an old email address even though I have updated it everywhere I can.
TenFour is offline   Reply With Quote
Old 11 Jan 2021, 11:06 AM   #20
jsfrederick
Junior Member
 
Join Date: Nov 2010
Posts: 9
Quote:
Originally Posted by NumberSix View Post
I would just add... a while ago I ran across another company making similar hardware token products that looked popular and inexpensive, but when I dug deeper, I found it was a Chinese company. No sireee... *closes tab* Sorry... can't remember the name now, but the Chinese origin was not hidden, so just be careful who you buy from.
Feitian security keys are made in China.
jsfrederick is offline   Reply With Quote
Old 11 Jan 2021, 11:49 AM   #21
NumberSix
Cornerstone of the Community
 
Join Date: Jan 2003
Location: The Village
Posts: 599
Quote:
Originally Posted by jsfrederick View Post
Feitian security keys are made in China.
Yes, that's the one I was thinking of.
NumberSix is offline   Reply With Quote
Old 12 Jan 2021, 12:39 AM   #22
ChinaLamb
The "e" in e-mail
 
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
Just adding my 2c.

Yubico Security Key NFC ($25) is a great choice.

Google's Titan Keys are great as well. After our org. purchased about 50 of these, a security flaw was discovered and they replaced all the bluetooth dongles for FREE.

We use both.

One Caveat Google's keys ARE made by a Chinese company, but Google claims they have a custom firmware on the devices that are different from the original Chinese maker, and are sealed....

While from an AD company, Google is horrible, from a Security standpoint from foreign threats, Google is actually very good. Say what you will on their cooperation with law enforcement, etc.

I'd suggest the Yubico $25 keys as our first recommendation, and if you need a bluetooth solution get the Google key.

I strongly recommend AGAINST feitian.

/cl
ChinaLamb is offline   Reply With Quote
Old 12 Jan 2021, 12:58 AM   #23
ioneja
Cornerstone of the Community
 
Join Date: Jul 2011
Posts: 713
What is the cost of your account security? Yubikey makes the best keys IMO at this point, but I also watch the industry for any new developments, so I'm open to other providers/developers. But I haven't yet found a company that I'd trust more with a key's design and manufacture, record of overengineering (a good thing), customer service, and openness about issues that occasionally pop up with various key firmware revisions and protocols. Again, I am definitely open to other companies, just haven't seen one that surpasses Yubico yet. Would definitely not buy Chinese made keys for too many reasons to list, no matter the cost savings, no matter the security promises, no matter what Google says about their process. Not worth it IMO.

Make sure to keep a spare and backup. Yubico sometimes has sales to get discounts buying 2+ units at once.

Also agree with those comments that suggest you should take a good look at how your providers handle reset of the account if you lose your 2FA key/token/code/etc.. Sometimes they are actually relatively lax about recovering your account, compared to the impression of security they give with 2FA in general. Thus negating the whole point. It should be very hard to recover an account if you lose your 2FA method... VERY hard. And thus essential that you manage your 2FA carefully. But companies are cutting corners on this important step, and it's important to be aware of the recovery procedure for all your critical accounts. I've even tested this out on some accounts to see what they would do, and I don't want to disparage any particular companies, but one in particular (a hosting provider) very very easily just gave me total access to one of my accounts with virtually no effort on my part, despite 2FA supposedly locking it down. Very scary. I think one customer service person just blew it and didn't enforce the policy well, the company itself states a different, more comprehensive recovery policy. But these are things we need to be aware of and in some cases frankly verify ourselves if you are concerned at all. All the greatest 2FA in the world is useless if the companies who use those keys/services/tokens/etc., have lax policies and/or enforcement.

Last edited by ioneja : 12 Jan 2021 at 01:12 AM.
ioneja is offline   Reply With Quote
Old 12 Jan 2021, 07:19 AM   #24
SideshowBob
Essential Contributor
 
Join Date: Jan 2017
Posts: 278
Quote:
Originally Posted by n5bb View Post
As far as I can tell from the research I performed before my earlier post in this thread, a common issue is the phone time not properly synchronized after changing time zones. See:
https://support.google.com/accounts/..._topic=2954345
For the iPhone see:
https://www.guidingtech.com/fix-goog...orking-iphone/
The google link doesn't even mention time zones. The guidingtech link uses the word "might" and reads like off the cuff speculation to me.

If time zones do have an effect, it's a bug rather than a legitimate excuse.
SideshowBob is offline   Reply With Quote
Old 14 Jan 2021, 07:41 PM   #25
eggman
Essential Contributor
 
Join Date: Jun 2002
Location: AU
Posts: 471
Authy and Microsoft authenticator offer to backup your 2fa token to the cloud if you are happy to use a soft token.

If you want hardware tokens then a basic ubikey in a safe and one on your keyring may be a good option for services like fastmail that allow you to register multiple.
eggman is offline   Reply With Quote
Old 15 Jan 2021, 04:56 AM   #26
jsfrederick
Junior Member
 
Join Date: Nov 2010
Posts: 9
Quote:
Originally Posted by eggman View Post
Authy and Microsoft authenticator offer to backup your 2fa token to the cloud if you are happy to use a soft token.

If you want hardware tokens then a basic Yubikey in a safe and one on your keyring may be a good option for services like fastmail that allow you to register multiple.
On macOS and iOS, I prefer OTPAuth ( https://cooperrs.de/otpauth.html ).
jsfrederick is offline   Reply With Quote
Old 16 Jan 2021, 02:16 AM   #27
barmadrid
Junior Member
 
Join Date: Jan 2021
Posts: 6
Sorry if this has been answered, but currently I have 2FA enabled using Google Authenticator. My phone number is listed for recovery.

If I forget my password and lose access to Authenticator app, will I lose access to my account?

If so, is it best to have copy of my recovery key saved somewhere?
barmadrid is offline   Reply With Quote
Old 16 Jan 2021, 02:24 AM   #28
FredOnline
The "e" in e-mail
 
Join Date: Apr 2011
Location: Manchester UK
Posts: 2,616
What I do is, take a screenshot of the QR code, and save that locally.

Then if the authenticator app gets corrupted, or if I've lost my 'phone, I can scan the saved QR code to another 'phone and I'm back in business.
FredOnline is offline   Reply With Quote
Old 16 Jan 2021, 07:02 AM   #29
hadaso
The "e" in e-mail
 
Join Date: Oct 2002
Location: Holon, Israel.
Posts: 4,799
Quote:
Originally Posted by barmadrid View Post
Sorry if this has been answered, but currently I have 2FA enabled using Google Authenticator. My phone number is listed for recovery.

If I forget my password and lose access to Authenticator app, will I lose access to my account?

If so, is it best to have copy of my recovery key saved somewhere?
If you lose access to your authenticator app but not to your phone (such as if the phone stops working and you put your SIM card in another phone) you can still use the phone for recovery. Even if you lose your phone, you can usually get a new phone and a SIM card with the same number, and it can be used for recovery.
hadaso is offline   Reply With Quote
Old 16 Jan 2021, 11:59 AM   #30
barmadrid
Junior Member
 
Join Date: Jan 2021
Posts: 6
Quote:
Originally Posted by hadaso View Post
If you lose access to your authenticator app but not to your phone (such as if the phone stops working and you put your SIM card in another phone) you can still use the phone for recovery. Even if you lose your phone, you can usually get a new phone and a SIM card with the same number, and it can be used for recovery.
But if I also forget or lose my password, SMS alone is not sufficient to recover your account if you have two-step verification enabled, isn't?

From Fastmail's help section:

Quote:
Please note, if two-step verification is enabled, access to the phone number itself is not sufficient to gain access to an account: you still need two factors (your password AND the SMS).
barmadrid is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 02:54 PM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy