EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 15 Oct 2018, 04:34 AM   #1
PON
Essential Contributor
 
Join Date: Mar 2002
Location: Wicklow, Ireland
Posts: 449
Yubikey and Firefox / Chrome

I use Yubikeys with my Fastmail account (1 and a couple of spares) for two-factor authentication.

Works fine with Chrome. If I use Firefox my account behaves as if my preferred authentication is via SMS, which is configured for account recovery purposes.

Anyone else seeing this?
PON is offline   Reply With Quote

Old 15 Oct 2018, 05:16 AM   #2
placebo
Cornerstone of the Community
 
Join Date: Jun 2004
Posts: 740
Last I looked, Chrome is the only browser which supports 2FA with the Yubikey.
placebo is offline   Reply With Quote
Old 15 Oct 2018, 05:24 AM   #3
PON
Essential Contributor
 
Join Date: Mar 2002
Location: Wicklow, Ireland
Posts: 449
Ah, that would explain that then! (I have mostly used Chrome for the last few years; started using Firefox more lately)
PON is offline   Reply With Quote
Old 15 Oct 2018, 07:44 AM   #4
TenFour
Master of the @
 
Join Date: Feb 2017
Location: USA
Posts: 1,685
General observations trying a Yubikey. Yes, Chrome is the browser you need, and sometimes there are issues with various Linux distros. I managed to get it to work with some and not with others. However, my bottom line is that email is something I need to log into almost anywhere at any time, and if for some reason I don't have the Yubikey I need a fallback option, which basically defeats the purpose of the Yubikey, doesn't it? In other words, let's say the fallback is either SMS or email authentication--well, the hackers could also use those to fallback on and they are much easier to hack. You can use an authenticator app with some email services as the fallback option, but why not just use that as the primary means if you have it as a fallback? I do keep backup codes, but I don't carry those around with me. So far I'm not seeing the great advantage of a Yubikey over just using an authenticator app for important accounts, assuming your preferred service allows the use of one or both. One thing I have wondered about is why services couldn't just have a secondary PIN number that only you know and they have no access to? In other words, you need your username and password to log in, and then you are presented with a timed box where you must enter your secret PIN that only you know. You might have 10 seconds and only three tries and then your account would be locked for some period of time. Seems like in practical use it would be just as secure as a Yubikey or an authenticator app without all the hassle.
TenFour is offline   Reply With Quote
Old 15 Oct 2018, 01:09 PM   #5
BritTim
The "e" in e-mail
 
Join Date: May 2003
Location: mostly in Thailand
Posts: 3,084
The use of a PIN number is equivalent to just having two consecutive passwords (two things you "know") which a keylogger would likely make no more secure than a single password. The idea of a Yubikey or SMS or biometric factor is that it tries to require you to show one thing you "know" and one thing you "have".

Those choosing to use a Yubikey as the second factor do need to understand the consequences. I would be much happier with Yubikey and SMS fallback when you cannot use a Yubikey, if you could set a timeout delay before the fallback was used, i.e. if there was a successful login using the Yubikey during, say, the last 24 hours, no fallback was available. If you were aware of the need for non Yubikey access in advance, you could choose to set this timeout delay very small, say 10 minutes. This would avoid the possibility of being permanently locked out with no way of recovering your account, while preventing most attempts to hack your account by misappropriating your phone or phone number.
BritTim is offline   Reply With Quote
Old 16 Oct 2018, 06:39 AM   #6
minimalist
Junior Member
 
Join Date: Nov 2012
Posts: 11
Quote:
Originally Posted by PON View Post
I use Yubikeys with my Fastmail account (1 and a couple of spares) for two-factor authentication.

Works fine with Chrome. If I use Firefox my account behaves as if my preferred authentication is via SMS, which is configured for account recovery purposes.

Anyone else seeing this?
Try setting security.webauth.u2f equal to true in website about:config within Firefox. I don't have fastmail any more, but it works with other 2FA sites.
minimalist is offline   Reply With Quote
Old 16 Oct 2018, 10:23 AM   #7
EricG
Essential Contributor
 
Join Date: Aug 2009
Location: Canada
Posts: 296
Quote:
Originally Posted by minimalist View Post
Try setting security.webauth.u2f equal to true in website about:config within Firefox. I don't have fastmail any more, but it works with other 2FA sites.
It's been available for over a year. Wonder why it's not the default?
EricG is offline   Reply With Quote
Old 17 Oct 2018, 11:17 AM   #8
PON
Essential Contributor
 
Join Date: Mar 2002
Location: Wicklow, Ireland
Posts: 449
First, thanks for the Firefox tip. That's good to know. (Works perfectly).

Comments on the Yubikey:

I have had zero issues on any version of Linux (Mint, Ubuntu, and Debian mainly, multiple flavours 32 bit, 64 bit, different desktops) with Chrome / Chromium. I use Yubikeys mainly with Fastmail, Lastpass and Google accounts. Have also used Google Authenticator with Lastpass exclusively for the last year, as well as using it for years with other things that don't support Yubikeys (Synology login e.g).

For me a Yubikey is hands down more convenient than Google Authenticator. It's fast -- I have two plugged in to side by side laptops on my desk and a spare on my key ring. I don't have to find my phone. Open it. Enter a code. Find the app. Find the right authentication code. Wait for it to reset so that I have time to enter it before it changes.

I don't have to worry if my phone is charged or if i lose the device and I have backup keys. I've somehow not got around to having an additional Google Authenticator set up on another device. I tried it once, ran into some problem and never got back to it. Wasn't even sure I could do it.

Even if I didn't have a Yubikey I can still get to my email in two ways: password reset via SMS and, if I didn't have my phone, via a login that doesn't require 2FA. I can do that in two ways: masteruser a/c (which I don't use w 2FA and rarely use) and also via a backup account with another provider (first MX record points to it) which I actually use for preprocessing mail and which maintains a chrono file for me. I use this if Fastmail is unavailable or if I need to check for rejected mail. In 16 years I've needed it twice when Fastmail was unavailable and once to understand why some non-received mail was undeliverable (sender had no reverse DNS).

A time delay before SMS kicks in as a fallback authentication approach seems to me a potential double-edged sword when you need access to mail NOW and don't have a Yubikey -- your keys are missing or whatever.

Last edited by PON : 17 Oct 2018 at 11:26 AM.
PON is offline   Reply With Quote
Old 17 Oct 2018, 12:18 PM   #9
BritTim
The "e" in e-mail
 
Join Date: May 2003
Location: mostly in Thailand
Posts: 3,084
Quote:
Originally Posted by PON View Post
A time delay before SMS kicks in as a fallback authentication approach seems to me a potential double-edged sword when you need access to mail NOW and don't have a Yubikey -- your keys are missing or whatever.
I can well believe some would prefer the slight security risk of an account hack over the possibility of being locked out for a limited period. That is why I suggest the time delay should be a user controllable option. Personally, I feel more concerned at the (admittedly slight) risk of my account being hacked, the password changed, and losing control permanently than the inconvenience of temporary unavailability of the account if I fail to plan ahead.
BritTim is offline   Reply With Quote
Old 17 Oct 2018, 09:32 PM   #10
TenFour
Master of the @
 
Join Date: Feb 2017
Location: USA
Posts: 1,685
Quote:
Even if I didn't have a Yubikey I can still get to my email in two ways: password reset via SMS and, if I didn't have my phone, via a login that doesn't require 2FA.
But doesn't having a backup via SMS and/or email defeat the purpose of the Yubikey? Can't hackers just use the backup methods too?
TenFour is offline   Reply With Quote
Old 22 Oct 2018, 11:43 PM   #11
PON
Essential Contributor
 
Join Date: Mar 2002
Location: Wicklow, Ireland
Posts: 449
Yes, that's a fair point.

In the case of SMS the hacker has to know what SMS number you've reserved for the account recovery. If you are not using it for routine login and it's not your normal number, but that of someone you know, it's less of a risk. The only circumstance I'd use it is if away from home (no spare Yubikey) and if my existing keys were stolen. I do not consider SMS secure but it's better than nothing.

The alternative is another account with admin rights and/or a one-time pad type password.

A potentially useful feature for Fastmail to add would be warnings of attempted account compromises. I get them for a draft Wikipedia page I have in preparation which someone wants to edit quite badly, badly enough to try to hack my account. I get them from my Synology diskstation which is primed to lock out offending IP addresses, and from other systems. Google and others ask me to confirm my identity if I log in from a different country than usual. It could be an early warning of a need to strengthen one's security.
PON is offline   Reply With Quote
Old 2 Nov 2018, 07:55 AM   #12
NumberSix
Cornerstone of the Community
 
Join Date: Jan 2003
Location: The Village
Posts: 599
Quote:
Originally Posted by TenFour View Post
But doesn't having a backup via SMS and/or email defeat the purpose of the Yubikey? Can't hackers just use the backup methods too?
This is something that has concerned me a bit, too. I don't use SMS for FM but have the Duo authenticator as a second factor for use with the iOS Fastmail app, which I sometimes use. Can't use Yubikey with my iPhone 5s. So then, as you point out, if attacking Duo is easier than attacking the Yk, then that's the vector they will choose. But really, I think you only have to worry about this if you are being individually targeted by a Five Eyes-level state actor

Does anyone know if it's possible to, say, reject anything other than Yk as second factor when accessing from a PC browser? I would be ok with that, even if it means that worst case I am locked of my mail for a while. I have two keys, stored separately. I really only want Duo as the second factor for iPhone app access, but once I configure it, it seems to make itself available everywhere.

Anyway, at least I'm not dependent on SMS I don't like to use SMS as a second factor, but my bank, for instance, only offers this. I have asked them to put something more secure in place, like Duo or Google Auth app, but they haven't (not surprisingly).

I too am using the Yk with Firefox post-57, so you are not limited to Chrom(ium). Works with FM on Firefox, but Facebook doesn't. I do use the Yk with Facebook as well, but have to use Chromium, because they don't support Firefox.
NumberSix is offline   Reply With Quote
Old 2 Nov 2018, 08:11 AM   #13
TenFour
Master of the @
 
Join Date: Feb 2017
Location: USA
Posts: 1,685
The problem is that Yubikeys and similar are way too complicated for wide adoption at this time, and they often don't really offer any additional security when all the bad guy has to do is revert to the alternate authentication method in many cases. I don't think this is restricted to the Five Eyes types at all. For example, when I was using it with Gmail if the Yubikey doesn't work it asks me if I want to use an alternate method. I bet a high percentage of people have SMS as the backup method, and with some services that is the only available backup. Frankly, unless you are specifically being targeted I suspect that SMS is quite secure--the bad guys have to compromise it first. Sure, maybe that is somewhat easier to do than compromising other methods, but for most of us that little hurdle makes us not the low-hanging fruit. It's like locking the front door of your house. Any semi-skilled thief won't be delayed more than a minute by that with most locks and doors, but that is just enough to mean they are likely to bypass you and instead try the next door down that may be unlocked.
TenFour is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 12:14 AM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy