|
FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc. |
|
Thread Tools |
25 Dec 2018, 01:52 AM | #1 |
The "e" in e-mail
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
|
Necessary Security Discussion to start 2019 right
TLR Ditch everything else, and start the new year out with FIDO
Authenticator codes are now broken and offer little real security: From: https://mashable.com/article/hackers.../#K6LfewCAGOql Unfortunately, 2 factor "authenticator" codes from Google Authenticator and similar tools are phishable, through man in the middle attacks.Unfortunately SMS Codes are likewise woefully inadequate: From: https://www.entrepreneur.com/article/317830 The only significant answer right now, seems to be FIDO U2F From: https://www.yubico.com/2017/10/creat...-security-key/FIDO Devices IF you use a mobile device, you'll need SOMETHING more than a simple USB device. Your phone needs to be authenticated to use Fastmail. That leaves you with either a Bluetooth or a NFC Based FIDO U2F compliant device. You should NOT authenticate your phone with Authenticator codes or SMS codes due to the issues above./cl Last edited by ChinaLamb : 25 Dec 2018 at 05:38 AM. |
25 Dec 2018, 05:32 AM | #2 |
The "e" in e-mail
Join Date: May 2003
Location: mostly in Thailand
Posts: 3,084
|
Yes, FIDO U2F is the way to go, especially since Apple finally stopped trying to sabotage U2F (though they still try to push their own proprietary solutions like Face ID).
|
25 Dec 2018, 05:41 AM | #3 |
The "e" in e-mail
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
|
Can face id be used as 2 factor for fastmail?
|
25 Dec 2018, 06:28 AM | #4 |
The "e" in e-mail
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
|
Security Best Practices
Copied from: https://www.reddit.com/r/yubikey/com...stions_please/ Use a Password Manager. You shouldn't have passwords memorized, and you*definitely*should not be reusing passwords amongst multiple services. Bitwarden (*open source), KeePassXC, Dashlane, LastPass, 1Password, Keeper all have free tiers (KeePassXC is*completely*open source!), and all of these support using a YubiKey to make logging into them even more secure.2 Factor all things. Your high level goal should be to start using 2FA more often. In other words, start using something you know (a password) and something you have (a Fido compliant key) whenever you can. Doubly so when you're working with a service that's important.Not all 2FA is created equal. ....In other words, don't buy a huge steel front door and then leave an open window next to it. |
29 Dec 2018, 11:30 PM | #5 |
Member
Join Date: Nov 2010
Posts: 75
|
Wow, fantastic thread! Been hearing the stories of 2FA being phishable, but didn't realize that FIDO can take care of that.
I use the fastmail app on my phone and I wonder how "phishable" it would be using an authenticator app. I see how going through a browser would put you at risk, but does anyone know how robust the app is by chance? I assume that it's not just a simple browser wrapped app, but I'm not sure. |
30 Dec 2018, 05:53 AM | #6 | |
Junior Member
Join Date: Nov 2012
Posts: 11
|
Quote:
|
|
30 Dec 2018, 07:09 AM | #7 |
The "e" in e-mail
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
|
|
30 Dec 2018, 09:11 PM | #8 | |
The "e" in e-mail
Join Date: Apr 2011
Location: Manchester UK
Posts: 2,616
|
As regards this;
Quote:
Having a PIN to unlock your 'phone is one factor - then you have your authenticator - a second factor. If your authenticator app also has PIN access that's a third factor. |
|
30 Dec 2018, 10:35 PM | #9 |
The "e" in e-mail
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
|
However, you are missing the point that the codes that Authy gives you are phishable. The point here is to get rid of that kind of second factor altogether.
|
30 Dec 2018, 10:42 PM | #10 |
The "e" in e-mail
Join Date: Apr 2011
Location: Manchester UK
Posts: 2,616
|
You're assuming I'm missing the point - I'm not.
My post does not state my suggestions make the authenticator unphishable. I've responded to the quotes only. |
31 Dec 2018, 12:35 AM | #11 | |
Essential Contributor
Join Date: Dec 2017
Location: Scotland
Posts: 483
|
Quote:
|
|
31 Dec 2018, 02:10 AM | #12 | |
The "e" in e-mail
Join Date: May 2003
Location: mostly in Thailand
Posts: 3,084
|
Quote:
|
|
31 Dec 2018, 04:33 AM | #13 | |
The "e" in e-mail
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
|
Quote:
Which is the point of my post here. People need to know that security keys, authenticator codes, etc. etc. etc., if not FIDO compliant, are susceptible to MITM attacks. FIDO, by creation, is not susceptible to MITM Attacks. |
|
31 Dec 2018, 06:16 AM | #14 | |
The "e" in e-mail
Join Date: Apr 2011
Location: Manchester UK
Posts: 2,616
|
Just been re-reading the FastMail blog from July 2016:
https://fastmail.blog/2016/07/23/how...ity-keys-work/ Quote:
|
|
31 Dec 2018, 06:23 AM | #15 |
The "e" in e-mail
Join Date: Dec 2004
Location: a virtually impossible but finitely improbable position
Posts: 2,320
|
I strongly recommend having 2 FIDO keys for this exact reason. I had one of the old non-FIDO Yubi keys, and it failed on me, luckily my wife had one too and I was able to get into the account that way.
Having the key fail was a great reminder that the old YubiKeys were non-FIDO compliant, so, I upgraded. |
Thread Tools | |
|
|