EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 19 Jul 2016, 01:44 AM   #16
jkc054
Senior Member
 
Join Date: Feb 2012
Location: Greenfield, Indiana
Posts: 104
I hope this is voluntary and not mandatory. If mandatory I may have to look for another email provider and what a pain that will be.
jkc054 is offline   Reply With Quote
Old 19 Jul 2016, 02:34 AM   #17
BritTim
The "e" in e-mail
 
Join Date: May 2003
Location: mostly in Thailand
Posts: 3,084
My reading of this is that, if you just use a single password for access to your account, the only change you will see if that the URL of the login screen changes.

For people who only use email for casual correspondence, these changes are not especially important. However, where email contains potentially confidential communications, it becomes important to keep accounts secure. 2FA, and especially U2F, are useful tools in assisting to ensure this, as are app/device specific passwords.
BritTim is offline   Reply With Quote
Old 19 Jul 2016, 03:03 AM   #18
FredOnline
The "e" in e-mail
 
Join Date: Apr 2011
Location: Manchester UK
Posts: 2,616
Quote:
Originally Posted by robn View Post
No. We're wearing the cost on this one. Being locked out of your account because you didn't have any SMS credit would not be cool.
Followed by a price increase on all plans to cover overheads?
FredOnline is offline   Reply With Quote
Old 19 Jul 2016, 03:08 AM   #19
ChinaLamb
The "e" in e-mail
 
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
I'm currently only seeing the old "Alternative Logins" when will the Two-Factor options be available?
ChinaLamb is offline   Reply With Quote
Old 19 Jul 2016, 03:34 AM   #20
FredOnline
The "e" in e-mail
 
Join Date: Apr 2011
Location: Manchester UK
Posts: 2,616
You could go to the link in post #1 and read it.
FredOnline is offline   Reply With Quote
Old 19 Jul 2016, 03:46 AM   #21
ChinaLamb
The "e" in e-mail
 
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
Quote:
Originally Posted by FredOnline View Post
You could go to the link in post #1 and read it.
Thanks, Fred. A simple Next Monday would have sufficed.

Read it before, missed that detail.

/cl
ChinaLamb is offline   Reply With Quote
Old 19 Jul 2016, 03:47 AM   #22
pjwalsh
Essential Contributor
 
Join Date: Dec 2008
Location: Canada
Posts: 312
Quote:
Originally Posted by ChinaLamb View Post
when will the Two-Factor options be available?
Good question. From the blog:

Launching next Monday July 25.

Current alternate logins terminate August 31.
If you're currently using our "alternate logins" system, you will need to migrate to the new system sometime in the next month. We will be removing all old-style "alternate logins" on 31st August. Also, please note that if your alternate login has a second factor, you will now be asked for this after submitting your username and password, rather than entering it on the initial login page.
https://blog.fastmail.com/2016/07/18...en-more-secure

--
There'll be blog posts each day this week explaining the new login security features in detail.

Last edited by pjwalsh : 19 Jul 2016 at 06:27 AM.
pjwalsh is offline   Reply With Quote
Old 19 Jul 2016, 06:35 AM   #23
robn
Master of the @
 
Join Date: May 2012
Location: Melbourne, Australia
Posts: 1,007

Representative of:
Fastmail.fm
Quote:
Originally Posted by pjwalsh View Post
U2F and app-specific passwords are great advances in FM login security.
I'm of the opinion that its more secure and and more user-friendly than any other consumer-grade two-factor out there. I've been telling anyone that will listen and we're hoping to do more presentations about U2F in the future.

Quote:
Chrome supports U2F, Firefox does not.
Sadly, Mozilla has yet to implement U2F support.
Others might list other browsers that support U2F.
All Chromium-based browsers should support it (Chromium, Chrome, Opera, Vivaldi, etc).

There is an extension for Mozilla, but no native support yet. I'm told that there are Mozilla engineers interested in it, but its currently quite difficult to do securely in Mozilla due to the lack of sandboxing. I'm sure they'll get there in time.

Quote:
Amazon links for U2F capable keys:
We've tested with U2F devices from Hypersecu, Feitian, Neowave, Happlink and Nitrokey. At 9 euro the Nitrokey U2F is the cheapest one we've found, so it's certainly not expensive to get started.

Of course we'll continue supporting TOTP and other methods for the forseeable future.

Last edited by robn : 19 Jul 2016 at 06:40 AM.
robn is offline   Reply With Quote
Old 19 Jul 2016, 06:38 AM   #24
robn
Master of the @
 
Join Date: May 2012
Location: Melbourne, Australia
Posts: 1,007

Representative of:
Fastmail.fm
Quote:
Originally Posted by jkc054 View Post
I hope this is voluntary and not mandatory. If mandatory I may have to look for another email provider and what a pain that will be.
It's not mandatory. If regular username & password works fine for you then you can continue do that.
robn is offline   Reply With Quote
Old 19 Jul 2016, 06:45 AM   #25
robn
Master of the @
 
Join Date: May 2012
Location: Melbourne, Australia
Posts: 1,007

Representative of:
Fastmail.fm
Quote:
Originally Posted by BritTim View Post
For people who only use email for casual correspondence, these changes are not especially important. However, where email contains potentially confidential communications, it becomes important to keep accounts secure. 2FA, and especially U2F, are useful tools in assisting to ensure this, as are app/device specific passwords.
I'd argue that with the continuing use of email as the recovery option for most internet services, and with the prevalence of phishing scams, some sort of 2FA is worthwhile for all users. Unfortunately it is more complicated and requires some extra vigilance that is difficult for many users, so 2FA is unlikely to be something that we ever mandate. We are going to recommend it wherever possible and keep doing whatever we can to drive adoption
robn is offline   Reply With Quote
Old 19 Jul 2016, 07:45 AM   #26
pjwalsh
Essential Contributor
 
Join Date: Dec 2008
Location: Canada
Posts: 312
Quote:
Originally Posted by robn View Post
There is an extension for Mozilla, but no native support yet. I'm told that there are Mozilla engineers interested in it, but its currently quite difficult to do securely in Mozilla due to the lack of sandboxing. I'm sure they'll get there in time.
So.. does the extension do it securely?

https://addons.mozilla.org/en-US/fir...support-add-on

--
You can test a U2F key here:
https://demo.yubico.com/u2f

Last edited by pjwalsh : 19 Jul 2016 at 08:07 AM.
pjwalsh is offline   Reply With Quote
Old 19 Jul 2016, 08:02 AM   #27
robn
Master of the @
 
Join Date: May 2012
Location: Melbourne, Australia
Posts: 1,007

Representative of:
Fastmail.fm
Quote:
Originally Posted by pjwalsh View Post
So.. does the extension do it securely?
My understanding of the issue is that the browser has to connect to the USB system in order to communicate with the U2F device. If this isn't done carefully, then it might be possible for arbitrary Javascript code to talk to any of your USB devices - disks, network devices, etc.

This is easier for Chrome to protect against because it already has its sandboxing model where as a last line of defence, Javascript can't do anything outside of its running context (usually the current tab).

Mozilla doesn't have this sandboxing model, mostly for legacy reasons, so the USB supports needs to be implemented very carefully. It can't afford to be wrong as there isn't that last line of defence.

The (long) dev discussion is here: https://bugzilla.mozilla.org/show_bug.cgi?id=1065729.

Back to your original question about the extension. I don't know anything about it really, and I'm not a Mozilla user, so I can't really say anything about its security characteristics. If its implemented the way that seems obvuous to me (a secondary task using libu2f-host to communicate with the U2F device) then it's probably not too bad and I would probably use it.

Ultimately though you don't really have much guarantee about anything unless you're willing to go to a lot of effort. Chrome could be broken for all I know. I trust my browser because the alternative is more effort than its worth. You know your own security needs, so you'll need to make the best choice for yourself.
robn is offline   Reply With Quote
Old 19 Jul 2016, 10:43 AM   #28
fmail_fan
Senior Member
 
Join Date: Feb 2015
Location: USA
Posts: 120
Quote:
Originally Posted by robn View Post
It's not mandatory. If regular username & password works fine for you then you can continue do that.
Glad to hear it.
fmail_fan is offline   Reply With Quote
Old 19 Jul 2016, 09:01 PM   #29
GeraldR
Essential Contributor
 
Join Date: Apr 2007
Location: Canada
Posts: 227
2FA via SMS to Two different cell phones

Quote:
Originally Posted by robn View Post
You can add both numbers. You'll then be offered a choice of number to send to during login.
Thanks, that will solve it.
GeraldR is offline   Reply With Quote
Old 19 Jul 2016, 10:14 PM   #30
FredOnline
The "e" in e-mail
 
Join Date: Apr 2011
Location: Manchester UK
Posts: 2,616
Has anyone had notification from Fastmail of the new features in their Fastmail inbox?

I've had nothing yet.
FredOnline is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 05:31 PM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy