|
FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc. |
|
Thread Tools |
28 Aug 2016, 11:23 AM | #1 |
Master of the @
Join Date: Aug 2002
Location: Israel
Posts: 1,060
|
What's the alternative for restricted logins?
Using Two-Step verification is less convenient. Using the master password is less secure. Is there an option for logging in from untrusted computers that would not put my master password at risk and would not increase my risk for account hijacking (due to the use of master password)?
Unless I'm missing something, anyone who used a duo of complex master password and an easy-to-type restricted password (and wants to avoid the inconvenience of Two-Step verification) will now have to (1) use their master password, and (2) change it to an easy-to-type string to maintain the same level of convenience. The new system is aiming to improve security, by is likely to reduce security for those who do the above, and I'm sure many would. |
28 Aug 2016, 06:26 PM | #2 |
The "e" in e-mail
Join Date: Jul 2002
Location: VK4
Posts: 3,020
|
For those who do not want to use the 2 stage verification perhaps it could be set up so they can use another password instead of the main one, that way the account would still be secure as they don't have access to the main password.
Similar to what we had before they changed things.... |
28 Aug 2016, 11:01 PM | #3 |
Essential Contributor
Join Date: Dec 2008
Location: Canada
Posts: 312
|
Master or restricted, 2FA is so much more secure than using just a password.
There seems to be the presumption here that it's 'okay' if a restricted password is compromised. With it, all online services using your FM address as backup can be reset and accessed. Is that vulnerability worth the 'convenience'? Last edited by pjwalsh : 28 Aug 2016 at 11:17 PM. |
28 Aug 2016, 11:19 PM | #4 |
Essential Contributor
Join Date: Oct 2008
Posts: 212
|
If a restricted or non-master pw is compromised, the attacker wouldn't have access to the master pw which can access the Password & Security screen for an account takeover.
Also, I don't give my various online services my exact FM email address. Instead I give them other email addresses I own that get forwarded to my FM account. Not foolproof, but more hoops the attacker must jump through to determine how to compromise my other services. Anyway, in answer to your question of "Is that vulnerability worth the 'convenience'" -- I'd rather make that decision myself on a case-by-case basis depending on the computer I am logging into, which is why I loved the Alternative Logins feature. Most of the time 2FA is the better option & I used it, but not always. But I definitely agree with you that 2FA is much more secure than just a password. |
18 Sep 2016, 05:56 AM | #5 |
The "e" in e-mail
Join Date: Oct 2002
Location: Holon, Israel.
Posts: 4,845
|
Frankly I do not see how 2FA using either an app on my phone or an SMS message to generate the 2nd factor to login into Fastmail's app or the web interface on the same phone is much more secure than just using my master password on the same phone. It is the phone itself that generates the 2nd factor, and whoever has it also has the 2nd factor.
Also I don't think my phone is reliable enough to serve as a key without which I cannot access Fastmail. |
18 Sep 2016, 03:31 PM | #6 | |
Essential Contributor
Join Date: Oct 2008
Posts: 212
|
Quote:
|
|
20 Sep 2016, 05:56 AM | #7 |
The "e" in e-mail
Join Date: Oct 2002
Location: Holon, Israel.
Posts: 4,845
|
I actually do use the lock screen this way, and also use another lockscreen (provided by an app called "Application protection") to protect some apps including Fastmail, but AFAIK these lock screens are considered rather poor protection.
|