EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 28 Jul 2016, 01:12 AM   #211
akorvemaker
Cornerstone of the Community
 
Join Date: Nov 2002
Location: Canada
Posts: 997
Quote:
Originally Posted by wam View Post
After choosing 2FA yesterday, everything was working fine. Since few hours email sending stopped working from 3rd party clients.

Tested on iPhone 6, Mail for Mac

I get same message "Cannot send, username or password is incorrect".
Since the clients don't support 2FA, you'll need to go into the Password settings and set up App Passwords for each of them.
akorvemaker is offline   Reply With Quote
Old 28 Jul 2016, 01:43 AM   #212
wam
Senior Member
 
Join Date: May 2007
Location: Pakistan
Posts: 192
Quote:
Originally Posted by akorvemaker View Post
Since the clients don't support 2FA, you'll need to go into the Password settings and set up App Passwords for each of them.
It was working fine yesterday after enabling 2FA and providing App Password to the client.

SOLUTION;
I removed 'App Password' for iPhone, from Settings; deleted the Fastmail account on iPhone and recreated it, with a new App Password.

Everything working normal; only change I had to make was, a "Notes" folder was created under Inbox which I deleted from Fastmail email on web page in settings, under folders. Notes are also being synchronised with fastmail account.

Everything normal again, including Contacts, Calendar and Notes.

I will repeat same process for Mail app for Mac and see if it works. I had changed Password for Mail, using App password and it was working fine yesterday. This also stopped working today.
wam is offline   Reply With Quote
Old 28 Jul 2016, 07:21 AM   #213
placebo
Cornerstone of the Community
 
Join Date: Jun 2004
Posts: 675
Quote:
Originally Posted by wam View Post
It was working fine yesterday after enabling 2FA and providing App Password to the client.

SOLUTION;
I removed 'App Password' for iPhone, from Settings; deleted the Fastmail account on iPhone and recreated it, with a new App Password.
I think you may have simply forgotten to update the password in the SMTP settings the first time around.
placebo is offline   Reply With Quote
Old 28 Jul 2016, 03:57 PM   #214
wam
Senior Member
 
Join Date: May 2007
Location: Pakistan
Posts: 192
Quote:
Originally Posted by placebo View Post
I think you may have simply forgotten to update the password in the SMTP settings the first time around.
Maybe I forgot, not sure; you have put me in doubt .
wam is offline   Reply With Quote
Old 31 Jul 2016, 06:24 AM   #215
hadaso
The "e" in e-mail
 
Join Date: Oct 2002
Location: Holon, Israel.
Posts: 4,507
How about reenabling the printed list of OTPs as another method of 2FA?

I have been away from the forums for almost 4 years (the welcome message reads: You last visited: 10 Dec 2012 at 11:24 PM).
I'm really happy to see so many names I know still active! Hi everyone!

Anyway, I spent a lot of time reading about the changes in how to login, in the blog and places linked to from the blog, and in the FastMail help documents, and this whole thread. I'm quite convinced that eventually this means better security for my email, but right now I'm quite overwhelmed.

One thing I don't understand: RobN said:
Quote:
Originally Posted by robn View Post
For the types that are serviceable through the new login system, yes. That's SMS, TOTP, YubiKey OTP and regular password. The other types have no mapping in the new system so aren't supported. ...
I don't see why OTP is not serviceable thorough the new system. It can be serviceable with some change to how it's done: it can be implemented as a form of 2FA: the printed list of OTPs is "a thing I have". And in some situations it's more secure than TOTP, since the OTP becomes invalid upon use and not 60 seconds later.

What I'd like to see is that in addition to SMS, TOTP, U2F and YubiKey OTP, the "Set up Two-Step Verification" section would have an additional option of "Print list of OTPs". then this would be used just like the TOTP option (after the username and master password are entered, a prompt for and additional unused password from the list, or 3 fields in the login screen, for username, main password and OTP in the classic login page).

This shouldn't be too difficult to implement.
hadaso is offline   Reply With Quote
Old 31 Jul 2016, 06:41 AM   #216
Berenburger
The "e" in e-mail
 
Join Date: Sep 2004
Location: The Netherlands
Posts: 2,258
Quote:
Originally Posted by hadaso View Post
I have been away from the forums for almost 4 years (the welcome messge reads: You last visited: 10 Dec 2012 at 11:24 PM).
I'm really happy to see so many names I know still active! Hi everyone!
Wow, 4 years! We/I missed you. I had hoped that not something seriously happened. Welcome back.
Berenburger is offline   Reply With Quote
Old 31 Jul 2016, 07:03 AM   #217
hadaso
The "e" in e-mail
 
Join Date: Oct 2002
Location: Holon, Israel.
Posts: 4,507
Is 2FA (when enabled) required to change the master password?

Quote:
Originally Posted by robn View Post
To make changes on the password & security screen, you have to enter your master password even if you're already logged in. That hasn't changed.
If 2FA is enabled, does the password & security screen require a 2nd factor?

I ask, because if someone is intercepting the communication when I login, then they can get the password, and then if the second factor is not required again then they can presumably change the master password and lock me out.

Why am I asking? Because I know that all my web traffic from my work computer is constantly under MITM attack by this company or the products/services they supply to my employer. The it works is that when I connect using https the certificate is from proxy.employersdomain.tld. They decrypt all traffic that goes in and out (and presumably reencrypt it). So up till now I used a restricted login so that anyone who intecept it cannot kidnap the account. Now that I need to provide the master password I need to know that an attacker cannot use it to change security settings.
hadaso is offline   Reply With Quote
Old 31 Jul 2016, 07:06 AM   #218
hadaso
The "e" in e-mail
 
Join Date: Oct 2002
Location: Holon, Israel.
Posts: 4,507
Quote:
Originally Posted by Berenburger View Post
Wow, 4 years! We/I missed you. I had hoped that not something seriously happened. Welcome back.
No I just got a life!
Mainly I've been concentrating more on work than on discussing how email can be used to do it...
hadaso is offline   Reply With Quote
Old 31 Jul 2016, 07:49 AM   #219
NumberSix
Cornerstone of the Community
 
Join Date: Jan 2003
Location: The Village
Posts: 548
Quote:
Originally Posted by hadaso View Post
I ask, because if someone is intercepting the communication when I login, then they can get the password, and then if the second factor is not required again then they can presumably change the master password and lock me out.
Welcome back This is a good question - one that had not occurred to me. I have my own concerns about the new security system, but will look forward to someone's authoritative response to this!
NumberSix is offline   Reply With Quote
Old 31 Jul 2016, 07:57 AM   #220
JamesHenderson
Essential Contributor
 
Join Date: Jan 2003
Location: Oxford, England
Posts: 405
Quote:
Originally Posted by hadaso View Post
If 2FA is enabled, does the password & security screen require a 2nd factor?

I ask, because if someone is intercepting the communication when I login, then they can get the password, and then if the second factor is not required again then they can presumably change the master password and lock me out.

Why am I asking? Because I know that all my web traffic from my work computer is constantly under MITM attack by this company or the products/services they supply to my employer. The it works is that when I connect using https the certificate is from proxy.employersdomain.tld. They decrypt all traffic that goes in and out (and presumably reencrypt it). So up till now I used a restricted login so that anyone who intecept it cannot kidnap the account. Now that I need to provide the master password I need to know that an attacker cannot use it to change security settings.
I believe it does not. But unless the "bad guy" is using your session, they would still need the second factor to logon first before getting to the security screen. Assuming you never check the "trust this computer" button (can't remember the exact words, but I mean the check box that means you don't have to use the second factor on that compute again), you'd be good,
JamesHenderson is offline   Reply With Quote
Old 31 Jul 2016, 08:43 AM   #221
hadaso
The "e" in e-mail
 
Join Date: Oct 2002
Location: Holon, Israel.
Posts: 4,507
Quote:
Originally Posted by JamesHenderson View Post
I believe it does not. But unless the "bad guy" is using your session, they would still need the second factor to logon first before getting to the security screen. ...,
I assume the "bad guy" is already controlling my session. The way it works on my office computer, I don't really have my session. The proxy has my session: I communicate with the proxy, and the proxy communicates with Fastmail, so it owns the session. Now I really shouldn't call whoever runs the proxy server at work "bad guy" (the IT pepole are actually quite good) but the solution they use might have these two issues that can let a bad guy in.
hadaso is offline   Reply With Quote
Old 31 Jul 2016, 08:48 AM   #222
JamesHenderson
Essential Contributor
 
Join Date: Jan 2003
Location: Oxford, England
Posts: 405
Quote:
Originally Posted by hadaso View Post
I assume the "bad guy" is already controlling my session. The way it works on my office computer, I don't really have my session. The proxy has my session: I communicate with the proxy, and the proxy communicates with Fastmail, so it owns the session. Now I really shouldn't call whoever runs the proxy server at work "bad guy" (the IT pepole are actually quite good) but the solution they use might have these two issues that can let a bad guy in.
...can you use a client that requires one of the new app passwords (which you cannot use to logon to the web interface and hence keep your settings secure)?
JamesHenderson is offline   Reply With Quote
Old 31 Jul 2016, 09:11 AM   #223
DumbGuy
Senior Member
 
Join Date: Oct 2008
Posts: 157
Quote:
Originally Posted by JamesHenderson View Post
...can you use a client that requires one of the new app passwords (which you cannot use to logon to the web interface and hence keep your settings secure)?
It would be great if FM created a type of app password that works for web login, and of course not work for sensitive areas of the website like the security screens.
DumbGuy is offline   Reply With Quote
Old 31 Jul 2016, 11:03 AM   #224
easemail
Member
 
Join Date: Nov 2010
Posts: 50
Great point DG... this reminds me of another pet peeve:

When I go to the security screen it shows me all the ways to do account recovery. If I step away from my computer and somebody navigates to that page, they now know various attack vectors to get my account.

Why not just let account recovery information just be shown AFTER you enter a master password on that screen?

(Heya hadaso... I too find it cool to see so many old faces here. Just wish it was under better circumstances. )
easemail is offline   Reply With Quote
Old 31 Jul 2016, 04:43 PM   #225
FredOnline
Master of the @
 
Join Date: Apr 2011
Location: Manchester UK
Posts: 1,931
Quote:
Originally Posted by DumbGuy View Post
It would be great if FM created a type of app password that works for web login, and of course not work for sensitive areas of the website like the security screens.
Like an Alternative Login?

https://www.fastmail.com/help/accoun...tyupgrade.html

Quote:

Alternative logins will be removed on August 31st, 2016: you have just the one password to remember.
FredOnline is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 04:19 PM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy