New features to keep your FastMail account even more secure

[akorvemaker]

Quote:

Originally Posted by wam

After choosing 2FA yesterday, everything was working fine. Since few hours email sending stopped working from 3rd party clients.

Tested on iPhone 6, Mail for Mac

I get same message "Cannot send, username or password is incorrect".

Since the clients don't support 2FA, you'll need to go into the Password settings and set up App Passwords for each of them.

[wam]

Quote:

Originally Posted by akorvemaker

Since the clients don't support 2FA, you'll need to go into the Password settings and set up App Passwords for each of them.

It was working fine yesterday after enabling 2FA and providing App Password to the client.

SOLUTION;
I removed 'App Password' for iPhone, from Settings; deleted the Fastmail account on iPhone and recreated it, with a new App Password.

Everything working normal; only change I had to make was, a "Notes" folder was created under Inbox which I deleted from Fastmail email on web page in settings, under folders. Notes are also being synchronised with fastmail account.

Everything normal again, including Contacts, Calendar and Notes.

I will repeat same process for Mail app for Mac and see if it works. I had changed Password for Mail, using App password and it was working fine yesterday. This also stopped working today.

[placebo]

Quote:

Originally Posted by wam

It was working fine yesterday after enabling 2FA and providing App Password to the client.

SOLUTION;
I removed 'App Password' for iPhone, from Settings; deleted the Fastmail account on iPhone and recreated it, with a new App Password.

I think you may have simply forgotten to update the password in the SMTP settings the first time around.

[wam]

Quote:

Originally Posted by placebo

I think you may have simply forgotten to update the password in the SMTP settings the first time around.

Maybe I forgot, not sure; you have put me in doubt .

[hadaso]

I have been away from the forums for almost 4 years (the welcome message reads: You last visited: 10 Dec 2012 at 11:24 PM).
I'm really happy to see so many names I know still active! Hi everyone!

Anyway, I spent a lot of time reading about the changes in how to login, in the blog and places linked to from the blog, and in the FastMail help documents, and this whole thread. I'm quite convinced that eventually this means better security for my email, but right now I'm quite overwhelmed.

One thing I don't understand: RobN said:

Quote:

Originally Posted by robn

For the types that are serviceable through the new login system, yes. That's SMS, TOTP, YubiKey OTP and regular password. The other types have no mapping in the new system so aren't supported. ...

I don't see why OTP is not serviceable thorough the new system. It can be serviceable with some change to how it's done: it can be implemented as a form of 2FA: the printed list of OTPs is "a thing I have". And in some situations it's more secure than TOTP, since the OTP becomes invalid upon use and not 60 seconds later.

What I'd like to see is that in addition to SMS, TOTP, U2F and YubiKey OTP, the "Set up Two-Step Verification" section would have an additional option of "Print list of OTPs". then this would be used just like the TOTP option (after the username and master password are entered, a prompt for and additional unused password from the list, or 3 fields in the login screen, for username, main password and OTP in the classic login page).

This shouldn't be too difficult to implement.

[Berenburger]

Quote:

Originally Posted by hadaso

I have been away from the forums for almost 4 years (the welcome messge reads: You last visited: 10 Dec 2012 at 11:24 PM).
I'm really happy to see so many names I know still active! Hi everyone!

Wow, 4 years! We/I missed you. I had hoped that not something seriously happened. Welcome back.

[hadaso]

Quote:

Originally Posted by robn

To make changes on the password & security screen, you have to enter your master password even if you're already logged in. That hasn't changed.

If 2FA is enabled, does the password & security screen require a 2nd factor?

I ask, because if someone is intercepting the communication when I login, then they can get the password, and then if the second factor is not required again then they can presumably change the master password and lock me out.

Why am I asking? Because I know that all my web traffic from my work computer is constantly under MITM attack by this company or the products/services they supply to my employer. The it works is that when I connect using https the certificate is from proxy.employersdomain.tld. They decrypt all traffic that goes in and out (and presumably reencrypt it). So up till now I used a restricted login so that anyone who intecept it cannot kidnap the account. Now that I need to provide the master password I need to know that an attacker cannot use it to change security settings.

[hadaso]

Quote:

Originally Posted by Berenburger

Wow, 4 years! We/I missed you. I had hoped that not something seriously happened. Welcome back.

No I just got a life!
Mainly I've been concentrating more on work than on discussing how email can be used to do it...

[NumberSix]

Quote:

Originally Posted by hadaso

I ask, because if someone is intercepting the communication when I login, then they can get the password, and then if the second factor is not required again then they can presumably change the master password and lock me out.

Welcome back This is a good question - one that had not occurred to me. I have my own concerns about the new security system, but will look forward to someone's authoritative response to this!

[JamesHenderson]

Quote:

Originally Posted by hadaso

If 2FA is enabled, does the password & security screen require a 2nd factor?

I ask, because if someone is intercepting the communication when I login, then they can get the password, and then if the second factor is not required again then they can presumably change the master password and lock me out.

Why am I asking? Because I know that all my web traffic from my work computer is constantly under MITM attack by this company or the products/services they supply to my employer. The it works is that when I connect using https the certificate is from proxy.employersdomain.tld. They decrypt all traffic that goes in and out (and presumably reencrypt it). So up till now I used a restricted login so that anyone who intecept it cannot kidnap the account. Now that I need to provide the master password I need to know that an attacker cannot use it to change security settings.

I believe it does not. But unless the "bad guy" is using your session, they would still need the second factor to logon first before getting to the security screen. Assuming you never check the "trust this computer" button (can't remember the exact words, but I mean the check box that means you don't have to use the second factor on that compute again), you'd be good,

[hadaso]

Quote:

Originally Posted by JamesHenderson

I believe it does not. But unless the "bad guy" is using your session, they would still need the second factor to logon first before getting to the security screen. ...,

I assume the "bad guy" is already controlling my session. The way it works on my office computer, I don't really have my session. The proxy has my session: I communicate with the proxy, and the proxy communicates with Fastmail, so it owns the session. Now I really shouldn't call whoever runs the proxy server at work "bad guy" (the IT pepole are actually quite good) but the solution they use might have these two issues that can let a bad guy in.

[JamesHenderson]

Quote:

Originally Posted by hadaso

I assume the "bad guy" is already controlling my session. The way it works on my office computer, I don't really have my session. The proxy has my session: I communicate with the proxy, and the proxy communicates with Fastmail, so it owns the session. Now I really shouldn't call whoever runs the proxy server at work "bad guy" (the IT pepole are actually quite good) but the solution they use might have these two issues that can let a bad guy in.

...can you use a client that requires one of the new app passwords (which you cannot use to logon to the web interface and hence keep your settings secure)?

[DumbGuy]

Quote:

Originally Posted by JamesHenderson

...can you use a client that requires one of the new app passwords (which you cannot use to logon to the web interface and hence keep your settings secure)?

It would be great if FM created a type of app password that works for web login, and of course not work for sensitive areas of the website like the security screens.

[easemail]

Great point DG... this reminds me of another pet peeve:

When I go to the security screen it shows me all the ways to do account recovery. If I step away from my computer and somebody navigates to that page, they now know various attack vectors to get my account.

Why not just let account recovery information just be shown AFTER you enter a master password on that screen?

(Heya hadaso... I too find it cool to see so many old faces here. Just wish it was under better circumstances. )

[FredOnline]

Quote:

Originally Posted by DumbGuy

It would be great if FM created a type of app password that works for web login, and of course not work for sensitive areas of the website like the security screens.

Like an Alternative Login?

https://www.fastmail.com/help/accoun...tyupgrade.html

Quote:

Alternative logins will be removed on August 31st, 2016: you have just the one password to remember.