EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 26 Jul 2016, 06:21 AM   #181
minimalist
Junior Member
 
Join Date: Nov 2012
Posts: 11
Quote:
Originally Posted by sflorack View Post
We can develop hypothetical scenarios to justify either option.
I'd seriously love to hear any real justification for having the box checked.

And it's also hard to understand the justification for everyone doing it (look at the top of this page). You can either make (providers hope the bulk of their) users check a box one time, or you can alienate your other users every time they log in.

I've unsubscribed to the NYTimes for this reason alone.
minimalist is offline   Reply With Quote
Old 26 Jul 2016, 06:28 AM   #182
robn
Master of the @
 
Join Date: May 2012
Location: Melbourne, Australia
Posts: 1,007

Representative of:
Fastmail.fm
Quote:
Originally Posted by wam View Post
Find your device in the App Passwords list and click the Remove button to revoke the password."

What will this do? Will it remove existing emails and contacts from the client or just stop syncing future emails and contacts but show previous emails and contacts?
Just stop syncing. The password will no longer work, so logins with that password will fail. That's all it does.
robn is offline   Reply With Quote
Old 26 Jul 2016, 07:05 AM   #183
ChinaLamb
The "e" in e-mail
 
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
Quote:
Originally Posted by wam View Post
The document states;

"Revoke a client's access
Lost a device? Stopped using a particular app? To revoke a password for a particular device:

Open the Settings → Password & Security screen.
Enter your password to unlock the settings.
Find your device in the App Passwords list and click the Remove button to revoke the password."

What will this do? Will it remove existing emails and contacts from the client or just stop syncing future emails and contacts but show previous emails and contacts?

I do not want to test this on my mobile.
It will refuse a connection with the Fastmail server. If it was using IMAP, you Might have offline access to previously sync'd items, if that is the way your app works. K9 mail, for instance would still have offline access to the imap messages previously downloaded. If you are using the Fastmail App, you won't have any access at all. If you are revoking a POP3 access, everything they downloaded will still be available. If you are revoking a web browser access, they wont have access to anything...

It all depends on the technology and the app. There's no way to delete offline access to things in some apps, without deleting the app, which means having direct contact to the device.

Sorry, you probably wanted more detailed information.
ChinaLamb is offline   Reply With Quote
Old 26 Jul 2016, 07:21 AM   #184
sflorack
The "e" in e-mail
 
Join Date: Feb 2002
Posts: 2,937
Quote:
Originally Posted by minimalist View Post
I'd seriously love to hear any real justification for having the box checked.
My grandmother; she never leaves her retirement community and only ever uses one computer (hers).
sflorack is offline   Reply With Quote
Old 26 Jul 2016, 07:26 AM   #185
jaybea28309
Junior Member
 
Join Date: Jul 2009
Posts: 19
Quote:
Originally Posted by ChinaLamb View Post
Lots of authenticator apps available for your smart phone too...
You can combine the two and use Yubico Authenticator. The TOTP credentials are kept on the Yubikey, so it is portable, and with some planning, you can have the same credentials on several Yubikeys.
jaybea28309 is offline   Reply With Quote
Old 26 Jul 2016, 07:39 AM   #186
langreisboete
Junior Member
 
Join Date: Jul 2016
Posts: 9
Quote:
Originally Posted by sflorack View Post
My grandmother; she never leaves her retirement community and only ever uses one computer (hers).
She just have to check that box once for the lifetime of her computer in that case.
langreisboete is offline   Reply With Quote
Old 26 Jul 2016, 07:47 AM   #187
sflorack
The "e" in e-mail
 
Join Date: Feb 2002
Posts: 2,937
Quote:
Originally Posted by langreisboete View Post
She just have to check that box once for the lifetime of her computer in that case.
If you're referring to the checkbox that says "Don't require two-step verification again on this device", she'd never have to check it. It's checked by default. (Wasn't that the whole point of this exhaustive discussion?)
sflorack is offline   Reply With Quote
Old 26 Jul 2016, 09:05 AM   #188
langreisboete
Junior Member
 
Join Date: Jul 2016
Posts: 9
Makes me wonder if Fastmail piloted the upgrade before implementing it.
langreisboete is offline   Reply With Quote
Old 26 Jul 2016, 09:16 AM   #189
rharha
Senior Member
 
Join Date: Oct 2013
Posts: 100
Quote:
Originally Posted by sflorack View Post
My grandmother; she never leaves her retirement community and only ever uses one computer (hers).
The way FM does it is better for most people but at every other service on the net you have to tick the box. Nevertheless a minuscule issue IMHO. Just untick the box.
rharha is offline   Reply With Quote
Old 26 Jul 2016, 10:10 AM   #190
akorvemaker
Master of the @
 
Join Date: Nov 2002
Location: Canada
Posts: 1,015
Quote:
Originally Posted by akorvemaker View Post
1. I add my voice to changing the default from "trust this computer" to leaving it unchecked.
Looks like the default is now unchecked, or it remembered my selection from last time.
akorvemaker is offline   Reply With Quote
Old 26 Jul 2016, 05:09 PM   #191
nudge
Junior Member
 
Join Date: Jul 2016
Posts: 29
The SMS system isn't secure anyway

I'm like the person earlier in the thread who had an Alternative Login setup for his kids except that mine isn't for kids but it is a similar situation. I've got till the 31st of August to replace our configuration or just give the users full access to an account that they didn't have before and we definitely don't want to give them. In fact we wouldn't have paid for Fastmail accounts for this project if we had prior knowledge of these changes. Fastmail have suggested that I setup shared folders instead but I can't see how that's going to help unless I move the users off the web interface and give them just SMTP / IMAP logins but to do that I'll probably have to visit each one in person in order to set things up, which isn't very practical for me.

All this headache is part of a move to a new security setup which sounds like it's based very much on 2FA using SMS to your mobile phone. There's an elephant in that room that I've not seen anyone here mention, the SMS system is part of the telephone network. Any IT security specialist should know that this is not secure. I'm on holiday and don't have the details with me but there are well known flaws in the SMS system that can be exploited to intercept and redirect SMS messages to another phone. It may be unlikely but you cannot be 100% safe using SMS as a second authentication factor.

My point is that Fastmail are taking away some functionality that people use and rely on and replacing it with something that isn't necessarily better. Their excuse is that not many people use it, their suggested alternatives are flimsy and their communication on these matters has not been good (some of my users have even been sent long technical mails written in english, which they wouldn't understand even if they spoke english).

I wish they would reconsider removing Alternative Logins on the 31st August and give us a few more months to work out alternative solutions.
nudge is offline   Reply With Quote
Old 26 Jul 2016, 10:17 PM   #192
FredOnline
The "e" in e-mail
 
Join Date: Apr 2011
Location: Manchester UK
Posts: 2,616
Quote:
Originally Posted by nudge View Post
All this headache is part of a move to a new security setup which sounds like it's based very much on 2FA using SMS to your mobile phone. There's an elephant in that room that I've not seen anyone here mention, the SMS system is part of the telephone network. Any IT security specialist should know that this is not secure. I'm on holiday and don't have the details with me but there are well known flaws in the SMS system that can be exploited to intercept and redirect SMS messages to another phone. It may be unlikely but you cannot be 100% safe using SMS as a second authentication factor.
You seem to be most concerned about the SMS option - there are other alternatives available, it's all detailed in the Fastmail blog.
FredOnline is offline   Reply With Quote
Old 27 Jul 2016, 12:32 AM   #193
easemail
Member
 
Join Date: Nov 2010
Posts: 75
I agree with Nudge above... there should be more time to sort everything out. I'm having a stressful week of work and now I have to totally rethink my security strategy for my email on top of it. I can't imagine how this would be if I was on vacation!

Wish I could say I was surprised by all this, but being a longtime fastmail user I kind of expect quick radical changes with little notice. I've wanted to recommend fastmail to other people before, but it's situations like this that keep me from doing so.

Fastmail has reduced an ice cream shop full of all kinds of flavors to basically two: Use a master password or use 2 factor auth. The former leaves you at risk to keyloggers and man in the middle attacks, while the later just basically takes more time & effort to implement. I know that for most people having just two options will work, but those other flavors being available were a HUGE value add to some of us.

easemail is offline   Reply With Quote
Old 27 Jul 2016, 02:06 AM   #194
nighthawk700
Essential Contributor
 
Join Date: Oct 2004
Location: Baltimore, MD Suburbs (US)
Posts: 237
So after all this discussion, the US NIST (National Institute of Standards and Technology) dropped this today (or yesterday, I was only sent the article today).

"NIST declares the age of SMS-based 2-factor authentication over"
https://techcrunch.com/2016/07/25/ni...tication-over/
nighthawk700 is offline   Reply With Quote
Old 27 Jul 2016, 02:20 AM   #195
ChinaLamb
The "e" in e-mail
 
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
Quote:
Originally Posted by nighthawk700 View Post
So after all this discussion, the US NIST (National Institute of Standards and Technology) dropped this today (or yesterday, I was only sent the article today).

"NIST declares the age of SMS-based 2-factor authentication over"
https://techcrunch.com/2016/07/25/ni...tication-over/
This is not an issue. From the article:
The alternative is to use a dedicated 2FA app like Google Authenticator or RSA SecurID, or a dedicated secure device like a dongle. There are plenty of options — SMS was just the easy one.
If you notice, the Google App is one of the options for 2 factor under Passwords and Security for Fastmail. Fastmail is implementing the latest method of 2FA
ChinaLamb is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 08:02 PM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy