EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 5 May 2013, 12:55 PM   #16
axiem
Member
 
Join Date: Jun 2004
Posts: 32
Being in the process of returning to Fastmail after a dalliance on GMail, I find the 2FA used by FM to be...strange. I guess having a "base" password counts as one factor, and then the randomly-generated number being the other, but it would just make more sense to me to have to put in my password and the OTP number in separate fields, like the Yubikey thing appears to be.
axiem is offline   Reply With Quote
Old 5 May 2013, 01:11 PM   #17
robn
Master of the @
 
Join Date: May 2012
Location: Melbourne, Australia
Posts: 1,007

Representative of:
Fastmail.fm
Quote:
Originally Posted by axiem View Post
Being in the process of returning to Fastmail after a dalliance on GMail, I find the 2FA used by FM to be...strange. I guess having a "base" password counts as one factor, and then the randomly-generated number being the other, but it would just make more sense to me to have to put in my password and the OTP number in separate fields, like the Yubikey thing appears to be.
That's only the UI being a little odd. You can actually enter base+Yubikey and it will work (if you have a Yubikey set up). On the server side, if we see you've used the Yubikey field, we join its contents to the password field before we pass it down into the auth layer. Like I say, I have a request open to get the UI made more clear (we never needed to before).

It is however most certainly two-factor auth - "something you know + something you have".
robn is offline   Reply With Quote
Old 5 May 2013, 01:16 PM   #18
axiem
Member
 
Join Date: Jun 2004
Posts: 32
That makes sense. It's just that the other instances of 2FA I've used on a computer (World of Warcraft, GMail) explicitly separate the "know" and "have" into two fields, and require passing through an intermediate screen--first I give my username/password, then it pops up with a screen challenging for my random number.

The difference just surprised me is all. It may be worthwhile to clarify that a little somewhere in the documentation.
axiem is offline   Reply With Quote
Old 6 May 2013, 01:19 AM   #19
ericderuiter
Member
 
Join Date: Apr 2002
Posts: 40
Quote:
Originally Posted by robn View Post
You can get the equivalent of forcing its use by setting a complex (unguessable) master password and then never using it, bringing the risk of it being compromised down close to zero. Then the only way to access the account will be via the alternate login, and if you only set up a single OTP login (of any kind), then OTP will be required. This is the security model we've used since we first had alternate logins.

Good idea. I'll raise a ticket for it. No commitment to implement it, of course!
What about using your master password for desktop or phone IMAP client? How do you keep the master password unused if you need a password for IMAP?
ericderuiter is offline   Reply With Quote
Old 6 May 2013, 02:51 AM   #20
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 8,917
Arrow Use complex Regular password with Full access for email clients

Quote:
Originally Posted by ericderuiter View Post
What about using your master password for desktop or phone IMAP client? How do you keep the master password unused if you need a password for IMAP?
Just set up one or more Regular passwords with Full access. If these are cached in your email client you won't have to remember these passwords, so you can use a pseudo-randomly chosen password which is very long.

Bill
n5bb is offline   Reply With Quote
Old 6 May 2013, 04:24 AM   #21
axiem
Member
 
Join Date: Jun 2004
Posts: 32
Quote:
Originally Posted by n5bb View Post
Just set up one or more Regular passwords with Full access. If these are cached in your email client you won't have to remember these passwords, so you can use a pseudo-randomly chosen password which is very long.
Essentially, what you can do is use something like this website to generate a long string, and then copy-paste it both into Fastmail and your email client--you never have to type it, and since you can make it cached, it stays secure. You don't even have to write it down anywhere; if you need to change it, just generate a new one and change it on Fastmail.
axiem is offline   Reply With Quote
Old 6 May 2013, 10:47 AM   #22
ericderuiter
Member
 
Join Date: Apr 2002
Posts: 40
Quote:
Originally Posted by n5bb View Post
Just set up one or more Regular passwords with Full access. If these are cached in your email client you won't have to remember these passwords, so you can use a pseudo-randomly chosen password which is very long.

Bill
That still leaves a full access password in use that could be vulnerable to keyloggers, packet sniffing, etc. An IMAP only password that didn't work for web logins combined with a web password that required the 2nd factor would be a nice security improvement.

I'm more concerned for users in business accounts, where the user will choose as weak a password as they can, and probably the same one they use all over the web. Requiring a 2nd factor for web access would be a good enhancement.

I use 1Password and have a strong password for my mail, but I'm more interested in the people who make their password as weak / easy to remember as possible. That is where the most benefit from 2FA will be seen.
ericderuiter is offline   Reply With Quote
Old 6 May 2013, 12:59 PM   #23
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 8,917
Quote:
Originally Posted by ericderuiter View Post
That still leaves a full access password in use that could be vulnerable to keyloggers, packet sniffing, etc. An IMAP only password that didn't work for web logins combined with a web password that required the 2nd factor would be a nice security improvement.
This might get complex to set up, since other Fastmail services use passwords in addition to IMAP (such as SMTP).
  • You should only want to use an email client on a computer which is under your control. The only time when a keylogger could be used to grab the IMAP/SMTP regular password would be during the initial setup of the client. If a keylogger is running on your own computer then all activity on your computer is subject to eavesdropping, so that's a big security hole Fastmail can't resolve.
  • Fastmail has required secure SSL connections for both the web interface and IMAP/SMTP since July, 2012. So packet sniffers aren't an issue.
  • The real security holes are:
    • Using the web interface on a public computer. You want to use one-time or two-factor restricted passwords in all cases.
    • Using any password (especially unrestricted) which is too simple to crack.
  • I agree that long term it would be nice to have enforced policies for passwords and other behavior, but as you mention that really only affects business accounts.
Bill
n5bb is offline   Reply With Quote
Old 6 May 2013, 03:45 PM   #24
robn
Master of the @
 
Join Date: May 2012
Location: Melbourne, Australia
Posts: 1,007

Representative of:
Fastmail.fm
I think we're talking about two features here (correct me if I'm wrong):

- ability to choose services that the alternate login will work for
- ability for business owners to enforce a specific login policy for their users

Selecting services is not really hard, just an extension of what we already have (where you can have web (restricted) or "all" services).

Login policies for businesses is more complex. Its not exactly hard, but it does have a few moving parts. I think I'd prefer to consider it as part of a broader thing to do config policies, but that's mostly just me musing at this point.

We'll keep discussing these internally. Thanks for the feedback!

Last edited by robn : 6 May 2013 at 03:58 PM.
robn is offline   Reply With Quote
Old 7 May 2013, 04:24 AM   #25
axiem
Member
 
Join Date: Jun 2004
Posts: 32
I would be in favor of being able to set passwords to be "non-web only". That is, passwords that will only work with a client. And if you could somehow specify the name of the client, that would be even more awesome (but I don't know if that information is sent over IMAP).
axiem is offline   Reply With Quote
Old 7 May 2013, 04:27 AM   #26
placebo
Cornerstone of the Community
 
Join Date: Jun 2004
Posts: 740
Quote:
Originally Posted by n5bb View Post
  • You should only want to use an email client on a computer which is under your control. The only time when a keylogger could be used to grab the IMAP/SMTP regular password would be during the initial setup of the client. If a keylogger is running on your own computer then all activity on your computer is subject to eavesdropping, so that's a big security hole Fastmail can't resolve.
  • Fastmail has required secure SSL connections for both the web interface and IMAP/SMTP since July, 2012. So packet sniffers aren't an issue.
Another problem is that the password is typically stored by the e-mail client, so there's the possibility of someone with access to the computer retrieving it from the application. If this were to happen, I'd much prefer that IMAP and SMTP access were using a restricted password, not one that's going to allow full access to an account.
placebo is offline   Reply With Quote
Old 7 May 2013, 12:58 PM   #27
Ginix
Member
 
Join Date: Aug 2012
Posts: 38
This is not working for me. I typed the Base password to trigger the Google Auth but its not working. It says Incorrect username or password but whenever I try SMS 1 Hour its working.

Not sure what's wrong but I was able to scan the bar code and I can see it in my Android my email account in FM.

Please help. Thanks.
Ginix is offline   Reply With Quote
Old 7 May 2013, 01:51 PM   #28
akorvemaker
Master of the @
 
Join Date: Nov 2002
Location: Canada
Posts: 1,015
Try entering the Google Auth code immediately after the base password (in the same box). Fastmail doesn't go to a separate screen like Google does.
akorvemaker is offline   Reply With Quote
Old 7 May 2013, 02:03 PM   #29
Ginix
Member
 
Join Date: Aug 2012
Posts: 38
Quote:
Originally Posted by akorvemaker View Post
Try entering the Google Auth code immediately after the base password (in the same box). Fastmail doesn't go to a separate screen like Google does.
Yehey thank you so much - its working now
Ginix is offline   Reply With Quote
Old 8 May 2013, 10:25 PM   #30
B4its2L8
Master of the @
 
Join Date: Dec 2007
Location: Hiding under my bed
Posts: 1,465
I admit to being somewhat on the fringe in all this because I access the web (and my email) from one and only one device: a home pc (using both web interface and an offline client [Outlook]).

Still, I can't help being just a bit confused in this discussion. Since (from an email perspective) Gmail pretty much started the whole 'two step authentication' thing, I'm used to understanding it from that angle. With Gmail, one goes into one's security settings and enables 2FA for the express purpose of preventing any possible password-only access to the account. One can go further and make a particular computer a 'trusted device' to prevent having to enter the 6-digit two-factor code at every login, but it's still AFAIK a case of Google secondarily 'authenticating' the login with the password AND the now-trusted device. That's why it's strange (for me) to read Rob write:

Quote:
Originally Posted by robn View Post
You can get the equivalent of forcing its use by setting a complex (unguessable) master password and then never using it, bringing the risk of it being compromised down close to zero. Then the only way to access the account will be via the alternate login, and if you only set up a single OTP login (of any kind), then OTP will be required. This is the security model we've used since we first had alternate logins.
Well, in my case, I routinely use 30-70-character passwords/passcodes. But even a 100-character password isn't going to help against hackers who steal passwords directly from the provider (instead of from the user via a keylogger or something) and crack them with their 'super computers.' That's where the 2FA comes in, no ? An account (like Gmail) requiring a second login factor for any access at all would still keep the password thieves at bay. But in the case described by Rob above, if -- big IF -- hackers were able to break in and steal FM's user password data, they could gain entry to accounts, since only alternate logins are covered by the Google Authenticator protection, 'full access' still being possible with a password alone.

I may not be understanding things correctly here, to help me do so, I have some questions:

1. In general, are email accounts protected by long, complex passwords (say, 50+ characters) really as safe as those protected with 2FA, making 2FA somewhat redundant in those instances ? (E.g. my MyOpera account is protected by a nearly 70-character password [entered automatically by LastPass]. Is this account, as a result, really as safe or safer than a Gmail account protected by a 25-character password + 2FA ?)

2. More specifically, does FM itself presently have any method of providing account-wide, Gmail-like two-factor protection for users, preventing any password-only access whatsoever ? (E.g. does/can the Yubikey function in this way, or does it only work in the 'alternative login' way Rob describes in his responses here ?)

Thanks for any feedback — and sorry for being dense !
B4its2L8 is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 01:36 PM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy