Secure your account with two-step verification (2FA)

Two-step verification increases the security of your account by requiring something you have (a generated code from an app or a device), to be paired with something you know (your password), in order to log in to your account. We support two-step verification with either an app on your phone, a dedicated security device that plugs into your computer, or a code sent by SMS.

You might have heard of two-step verification being called "two-factor authentication" or 2FA.

It is not required to be set up on your account, but it is recommended if you'd like the peace of mind that comes with the additional security.

Which one is right for me?

• Authenticator app
  • Free: install an app on your phone which generates codes for you.
  • The code needs to be manually typed when logging in.
  • Must be used if you're using the FastMail app on iOS/Android, as you can't plug in a security device.
  • Good if you're new to two-step verification.
• Security device: U2F
  • The most secure option.
  • Requires a hardware device. Only works on Google Chrome and Firefox 58 browsers, but more to come. Keep in mind that U2F is not enabled in Firefox by default. To enable it, go to about:config in the address bar, find security.webauth.u2f in the list, and double click it to change the option to True.
  • No manual entry required.
  • Good if you want the best security and you're only using Chrome.
• Security device: YubiKey OTP
  • Requires a hardware device.
  • No manual entry required.
  • Good if you need multi-browser support and more security than an authenticator app.
• Security device: OTP
  • Requires a hardware device.
  • The code needs to be manually typed when logging in.
  • No phone or USB port required.
  • Good if you can't use a phone-based authenticator and can't plug a device into the computer.
• SMS code
  • Free: Get a code sent to your phone.
  • The code needs to be manually typed when logging in.
  • A backup mechanism to be used in case you lose your security device. You must set up a security device or authenticator app to enable two-step verification.

You can have more than one two-step verification devices on your account. If you're using the FastMail app on iOS/Android, you must configure an authenticator app as you can't plug in a security device to your phone or tablet.

Learn more about the difference between U2F and YubiKey OTP.

Authenticator apps

Not sure which authenticator app to use? We recommend:

• iPhone: Google Authenticator, Authy or Duo Mobile
• Android: Google Authenticator, Authy or Duo Mobile
• Windows Phone: Authenticator
• Blackberry: Google Authenticator

If you have a different phone, you may still be able to use TOTP. Any app supporting Time-based One-Time Password (TOTP) from the Initiative for Open Authentication (OATH) as specified in RFC 6238 should work.

Note: Neither the Google Authenticator app nor our server implementation is specific to Google in any way, nor does it ever communicate with Google systems as part of its operation (or with any other system for that matter). "Google Authenticator" is the name of Google's TOTP app, which has become synonymous with the authentication method itself.

U2F and YubiKey OTP security keys

We have tested with a variety of different security keys, and any key that supports "U2F" should work. We do recommend YubiKey, as in our experience these have the best build quality, a slim profile and are reliable; you can buy one from the Yubico store or via Amazon.

OTP devices

Many manufacturers are now selling standalone OTP devices, often in a credit card or key fob form-factor. We've tested with Feitian c200 devices but any device implementing the TOTP standard should work. We support devices with HEX or BASE32-encoded keys with a 30 or 60-second time step. If your particular device doesn't work, please let us know the make and model of the device and we'll look into adding support for it.

Under the hood, these devices use the same mechanism (TOTP) as "Authenticator Apps" described above, so when adding them, use the "Authenticator App" option.

How to set up two-step verification

Open the Settings → Password & Security screen and scroll down to Two-Step Verification.

Before you can enable two-step verification, you must add a recovery phone to your account. This is to prevent you from being locked out of your account should you ever lose access to your main verification device. You get a code sent to your phone instead to complete your second step when you log in.

We also strongly recommend making a note of your recovery code. If you forget your password or lose your security device(s), you can use the recovery code to reset your password and restore access to your account. Write it down or print it out and keep it somewhere safe.

Now you're ready to configure two-step verification. Click Add Verification Device and select which kind of verification device you're adding to your account.

Authenticator app

1. Once you've installed the authenticator app on your phone or tablet, select to add a new account.
2. Use your device's camera to scan the QR code on the screen. (Or manually type in the key on the screen into the authenticator app.). If you're setting up an OTP device, select "Set a custom key" and enter the key that came with your device.
3. Enter the 6-digit code the app gives you into the FastMail web interface.
4. Name this device so you can keep track of your verification devices and remove them if needed in the future.

U2F or YubiKey OTP

1. Insert the device into the USB port on your computer.
2. Touch the button on the device once it lights up.
3. Name this device so you can keep track of your verification devices and remove them if needed in the future.

How to log in with two-step verification

Start by navigating to our login page, then:

1. Enter your username and your password. Click Log In.
2. Enter the current verification code from your authenticator app or OTP device, or plug in your security key and touch the button if it has one. If you have more than one two-step method on your account, you can switch method using the links under the login box.
3. You can also declare this computer as trusted which means you don't need to use two-step verification again when logging in on that computer.

If you're using an authenticator app on a phone or through the website, and you use 1Password to manage your passwords, we have detailed instructions on using them together. (FastMail iOS/Android apps, FastMail web client).

If you'd like to revoke a computer's trusted status, you can also do that on the Password & Security screen: the next time you log in on that device, you will need to re-authenticate using your 2FA.

How to set up a client when using two-step verification

Mail and calendaring computer programs and phone/tablet apps don't support two-step verification, other than the FastMail apps.

You'll need to set up app passwords for each device instead.

---

Why should I use two-step verification?

In an ideal world, all passwords would be a secret, known only to yourself. But the more a password is used, the more exposed it becomes to malicious attackers. They might try to steal it (through phishing or malware/spyware), or guess it (through brute force repeated dictionary attacks).

The point of two-step verification is that if someone does manage to steal your password, they still can't use it to log into your account without your verification device. Your two-step verificaion keeps your password safe.

How do authenticator apps and security keys work?

Interested in what's happening under the hood to keep you safe? Learn more about how TOTP works, how U2F works, or how YubiKey OTP works.

Why do I have to add a recovery phone number to set up two-step verification?

Keeping your account safe from attackers is very important. But so too is making sure you don't get locked out of your own account. We are aware that SMS is not the most secure of methods for 2FA, and has been deprecated by NIST. However, for the majority of users, the risk of losing their two-step verification device is far greater than the risk of someone hacking their SMS. If you lose your phone, the TOTP key is lost but normally you can get a new SIM card with the same number from your carrier. We therefore believe requiring a phone as a backup option strikes the best balance of confidentiality (no one else can read your data) and availability (you can read your data) for the majority of our users.

Please note, if two-step verification is enabled, access to the phone number itself is not sufficient to gain access to an account: you still need two factors (your password AND the SMS).

Advanced users that understand the risk may remove the phone number from their account once two-step verification is enabled. Once the recovery phone is removed from the account, SMS is no longer an option as the second factor for login. If you choose to do this, we strongly recommend you write down or print your recovery code and store it in a safe location, and that you set up at least two security keys or authenticator devices. Should you lose access to all two-step verification devices and not have your recovery code, you may be permanently locked out of your own account.