EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 3 May 2013, 11:00 AM   #1
robn
Master of the @
 
Join Date: May 2012
Location: Melbourne, Australia
Posts: 1,007

Representative of:
Fastmail.fm
Google Authenticator support now available

Fyi, we've just released support for Google Authenticator (aka OATH TOTP, aka RFC 6238) for two-factor authentication.

http://blog.fastmail.fm/2013/05/03/g...uthentication/
robn is offline   Reply With Quote

Old 3 May 2013, 11:42 AM   #2
n5bb
Intergalactic Postmaster
 
Join Date: May 2004
Location: Irving, Texas
Posts: 8,544
Thanks, Rob! I just tried this on my iPhone and iPad, and it works great! The QR code makes it easy for those devices.

Bill
n5bb is offline   Reply With Quote
Old 3 May 2013, 06:28 PM   #3
Berenburger
The "e" in e-mail
 
Join Date: Sep 2004
Location: The Netherlands
Posts: 2,524
I have setup two-factor authentication with Google Authenticator, but still can login in with my regular password (without appending the verification code to password). What am I doing wrong?
Berenburger is offline   Reply With Quote
Old 3 May 2013, 06:41 PM   #4
ulmus
Senior Member
 
Join Date: Feb 2011
Location: Poland
Posts: 193
What about email clients? 2factor auth is valid only for web browser interface? There is something like an application authorisation? what is it for, if i can log into FM with regular password or with the same password using any imap/pop client? Simply i dont understand this implementation of 2 factor auth.... In google account it works, if i turn it on then i have to confirm every login or authorise app to not authorise everytime... in FM it works just like another way to log in...
ulmus is offline   Reply With Quote
Old 3 May 2013, 09:15 PM   #5
B4its2L8
Master of the @
 
Join Date: Dec 2007
Location: Hiding under my bed
Posts: 1,465
From the FM Help section:
Quote:
We've tested our Google Authenticator support with the official Google Authenticator clients for iOS and Android, and recommend those.
Well, I only use a home desktop computer (Windows 7 Pro). I've never used the GA and just started reading a bit about it. Supposedly, there is a version of it for Windows PCs. I'm wondering if any users here -- or the FM staff -- can confirm that it works as well as the ones for the devices mentioned above.
B4its2L8 is offline   Reply With Quote
Old 3 May 2013, 10:50 PM   #6
robn
Master of the @
 
Join Date: May 2012
Location: Melbourne, Australia
Posts: 1,007

Representative of:
Fastmail.fm
Quote:
Originally Posted by Berenburger View Post
I have setup two-factor authentication with Google Authenticator, but still can login in with my regular password (without appending the verification code to password). What am I doing wrong?
That's by design. Your regular password will continue to work as it always has. When you set up an alternate login, you create a new "base" password that gets combined with the verification code to produce an alternate "password".

This is the same approach we use with our other OTP methods. The idea is that you'll make your master password something long and complicated and then only use it to manage your alternate logins (write it down and put it in a safe or something like that). For every day use, you use one of your alternate logins.

Quote:
Originally Posted by ulmus View Post
What about email clients? 2factor auth is valid only for web browser interface? There is something like an application authorisation? what is it for, if i can log into FM with regular password or with the same password using any imap/pop client? Simply i dont understand this implementation of 2 factor auth.... In google account it works, if i turn it on then i have to confirm every login or authorise app to not authorise everytime... in FM it works just like another way to log in...
When you create the alternate login you have the option to specify "full access". Full access alternate logins will work for IMAP and other services. Restricted access logins can only access web and FTP services.

There's no way to create a per-application alternate login. That would be a cool feature though.

Quote:
Originally Posted by B4its2L8 View Post
From the FM Help section: Well, I only use a home desktop computer (Windows 7 Pro). I've never used the GA and just started reading a bit about it. Supposedly, there is a version of it for Windows PCs. I'm wondering if any users here -- or the FM staff -- can confirm that it works as well as the ones for the devices mentioned above.
The wisdom of the Internet suggests that gauth4win is the best (only?) option for Windows desktops. I don't have a Windows machine here at home so I can't test, but if it implements the TOTP standard correctly you should have no problem. If it works for you please post in this thread and let us know!
robn is offline   Reply With Quote
Old 4 May 2013, 05:27 AM   #7
NullSonic
Junior Member
 
Join Date: Dec 2003
Location: Capital District, NY
Posts: 18
Interesting way to implement, but I love it! Thanks so much for adding Google Authenticator to the mix. I use it for several other services and using it for one of my most important resources (email) just makes sense.
One tip though, the help wasn't clear (to me anyway) on how this worked. Reading this thread, and especially the part about the old password still working was very helpful. I've now made my master password very complex and now use the new alt pw. It would have also helped to know that basically, the new alt pw format is "xxxxx123456" where xxxxx is the base pw and 123456 is the Google auth code.
Again, thanks so much for giving us this option.
-john
NullSonic is offline   Reply With Quote
Old 4 May 2013, 05:35 AM   #8
akorvemaker
Master of the @
 
Join Date: Nov 2002
Location: Canada
Posts: 1,002
Quote:
Originally Posted by NullSonic View Post
It would have also helped to know that basically, the new alt pw format is "xxxxx123456" where xxxxx is the base pw and 123456 is the Google auth code.
Clicking "more" and entering it in the Yubikey space also works.

But yes, it would have helped to know that
akorvemaker is offline   Reply With Quote
Old 4 May 2013, 06:31 AM   #9
Berenburger
The "e" in e-mail
 
Join Date: Sep 2004
Location: The Netherlands
Posts: 2,524
Quote:
Originally Posted by NullSonic View Post
I've now made my master password very complex and now use the new alt pw. It would have also helped to know that basically, the new alt pw format is "xxxxx123456" where xxxxx is the base pw and 123456 is the Google auth code.
If you leave your base password empty in the setup, then only the auth code is needed. OK, less secure.
Berenburger is offline   Reply With Quote
Old 4 May 2013, 06:45 AM   #10
Berenburger
The "e" in e-mail
 
Join Date: Sep 2004
Location: The Netherlands
Posts: 2,524
Quote:
Originally Posted by n5bb View Post
Thanks, Rob! I just tried this on my iPhone and iPad, and it works great! The QR code makes it easy for those devices.
Just tested it on my Windows Phone with Microsoft Verificator. Works!
That brings me to the question: why is it called Google Authenticator?
Berenburger is offline   Reply With Quote
Old 4 May 2013, 07:17 AM   #11
ericderuiter
Member
 
Join Date: Apr 2002
Posts: 40
I appreciate the security of using the alternate login when on a computer that is not mine and I can't be sure it doesn't have a key logger, but it would also be nice to be able to force an account to require 2 factor like Gmail does. Google requires the second factor if you haven't logged in with your account to a computer for past 30 days.

This shouldn't be called two factor authentication since we can't force it to require the second factor. The main password will still give full access. Controls in business accounts to manage / reset two factor for user's accounts would be great.
ericderuiter is offline   Reply With Quote
Old 4 May 2013, 07:53 AM   #12
B4its2L8
Master of the @
 
Join Date: Dec 2007
Location: Hiding under my bed
Posts: 1,465
Quote:
Originally Posted by ericderuiter View Post
I appreciate the security of using the alternate login when on a computer that is not mine and I can't be sure it doesn't have a key logger, but it would also be nice to be able to force an account to require 2 factor like Gmail does. Google requires the second factor if you haven't logged in with your account to a computer for past 30 days.

This shouldn't be called two factor authentication since we can't force it to require the second factor. The main password will still give full access. Controls in business accounts to manage / reset two factor for user's accounts would be great.
+1

From what little I understand of such things, the Yubikey option is more in line with the true (and 'forced') 2FA la Gmail.
B4its2L8 is offline   Reply With Quote
Old 4 May 2013, 09:26 AM   #13
robn
Master of the @
 
Join Date: May 2012
Location: Melbourne, Australia
Posts: 1,007

Representative of:
Fastmail.fm
Quote:
Originally Posted by NullSonic View Post
One tip though, the help wasn't clear (to me anyway) on how this worked. Reading this thread, and especially the part about the old password still working was very helpful. I've now made my master password very complex and now use the new alt pw. It would have also helped to know that basically, the new alt pw format is "xxxxx123456" where xxxxx is the base pw and 123456 is the Google auth code.
Well it is in the docs:

Quote:
enter your password into the password field, followed immediately by the numeric code
But I'll agree that that's a bit difficult to understand - I even thought that as I wrote it! There is more info in the general docs on alternative logins, but its all a bit all over the place, its true. I'll see what I can do about it.

Quote:
Originally Posted by akorvemaker View Post
Clicking "more" and entering it in the Yubikey space also works.
Yes, it uses the same mechanism. I didn't want to mention it in the docs immediately because I thought it might add more confusion - "use the Yubikey field to login with Google Authenticator". What I have done is open a ticket with our UI devs to get the login box made a bit clearer. We'll see!
robn is offline   Reply With Quote
Old 4 May 2013, 09:30 AM   #14
robn
Master of the @
 
Join Date: May 2012
Location: Melbourne, Australia
Posts: 1,007

Representative of:
Fastmail.fm
Quote:
Originally Posted by Berenburger View Post
Just tested it on my Windows Phone with Microsoft Verificator. Works!
That brings me to the question: why is it called Google Authenticator?
Great to hear that it works!

"Google Authenticator" was the first implementation of this to gain anything approaching widespread use, and so its already known to many people interested in two-factor authentication. Its also perhaps the best client available for Android and iOS, which of course are where most of the users of this are going to be - the QR code support is brilliant.

The official name is "Time-Based One-Time Passwords" and the protocol is described in RFC 6238, an internet standards document. I tried to make it clear in the documentation and other text that this in an implementation of the standard for those who refer to it that way, while still making it obvious for anyone that doesn't care about that sort of thing. I hope I managed to strike a good balance.
robn is offline   Reply With Quote
Old 4 May 2013, 09:36 AM   #15
robn
Master of the @
 
Join Date: May 2012
Location: Melbourne, Australia
Posts: 1,007

Representative of:
Fastmail.fm
Quote:
Originally Posted by ericderuiter View Post
I appreciate the security of using the alternate login when on a computer that is not mine and I can't be sure it doesn't have a key logger, but it would also be nice to be able to force an account to require 2 factor like Gmail does. Google requires the second factor if you haven't logged in with your account to a computer for past 30 days.
You can get the equivalent of forcing its use by setting a complex (unguessable) master password and then never using it, bringing the risk of it being compromised down close to zero. Then the only way to access the account will be via the alternate login, and if you only set up a single OTP login (of any kind), then OTP will be required. This is the security model we've used since we first had alternate logins.

Quote:
This shouldn't be called two factor authentication since we can't force it to require the second factor. The main password will still give full access. Controls in business accounts to manage / reset two factor for user's accounts would be great.
Good idea. I'll raise a ticket for it. No commitment to implement it, of course!

Quote:
Originally Posted by B4its2L8 View Post
From what little I understand of such things, the Yubikey option is more in line with the true (and 'forced') 2FA la Gmail.
The Yubikey and Google Authenticator mechanisms are identical (they even share code). The only difference is the way the second factor works. Yubikey is a specific, physical object, while Google Authenticator is a software component for a mobile or other device that only you have access to. They're both "true" two-factor authentication.
robn is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 02:16 PM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy