Two-step verification increases the security of your account by requiring something you have (a generated code from an app or a device), to be paired with something you know (your password), in order to log in to your account. We support two-step verification with either an app on your phone, a dedicated security device that plugs into your computer, or a code sent by SMS.
You might have heard of two-step verification being called "two-factor authentication" or 2FA.
You can have multiple two-step verification devices on your account. If you're using the FastMail app on iOS/Android, you must configure an authenticator app as you can't plug in a security device to your phone or tablet.
Learn more about the difference between U2F and YubiKey OTP.
There are several good (and free) apps available for most phones. We recommend:
If you have another type of phone, you may still be able to use TOTP. Any app supporting Time-based One-Time Password (TOTP) from the Initiative for Open Authentication (OATH) as specified in RFC 6238 should work.
Note: Neither the Google Authenticator app nor our server implementation is specific to Google in any way, nor does it ever communicate with Google systems as part of its operation (or with any other systems for that matter). "Google Authenticator" is the name of Google's TOTP app, which has become synonymous with the authentication method itself.
We have tested with a variety of different security keys, and any key that supports "U2F" should work. However our recommendation is to purchase a YubiKey, as in our experience these have the best build quality, a slim profile and are very reliable; you can purchase one from the Yubico store or via Amazon.
Note for users of our old "classic" interface: To configure the new security features you will need to log in to our normal interface. Only authenticator apps and Yubico OTP are supported with the classic interface; you cannot use SMS or U2F to log in.
Open the Settings → Password & Security screen and scroll down to Two-Step Verification.
Before you can enable two-step verification, you must add a recovery phone to your account. This is to prevent you from being locked out of your account should you ever lose access to your main verification device. You get a code sent to your phone instead to complete your second step when you log in.
We also strongly recommend making a note of your recovery code. If you forget your password or lose your security device(s), you can use the recovery code to reset your password and restore access to your account. Write it down or print it out and keep it somewhere safe.
Now you're ready to configure two-step verification. Click Add Verification Device and select which kind of verification device you're adding to your account.
Start by navigating to our login page, then:
If you're using an authenticator app on a phone or through the website, and you use 1Password to manage your passwords, we have detailed instructions on using them together. (FastMail iOS/Android apps, FastMail web client).
If you'd like to revoke a computer's trusted status, you can also do that on the Password & Security screen: the next time you log in on that device, you will need to re-authenticate using your 2FA.
Mail and calendaring computer programs and phone/tablet apps don't support two-step verification, other than the FastMail apps.
You'll need to set up app passwords for each device instead.
In an ideal world, all passwords would be a secret, known only to yourself. However the more a password is used, the more vulnerable it is to being exposed to malicious attackers. They might try to steal it (through phishing or malware/spyware), or guess it (through brute force repeated dictionary attacks).
The point of two-step verification is that if someone does manage to steal your password, they still can't use it to log into your account without your verification device. So it remains safe.