2-factor authentication (2FA) increases the security of your account by requiring something you have to be paired with something you know in order to log in to your account. We support 2FA with either OATH TOTP (Google Authenticator) or a YubiKey.
There are several good (and free) OATH TOTP apps available for most phones. We recommend:
If you have another type of phone, you may still be able to use TOTP. Any app that claims to support the Time-based One-Time Password (TOTP) algorithm from the Initiative for Open Authentication (OATH) as specified in RFC 6238 should work.
Note: Neither the Google Authenticator app nor our server implementation is specific to Google in any way, nor does it ever communicate with Google systems as part of its operation (or with any other systems for that matter). "Google Authenticator" is the name of Google's TOTP app, which has become synonymous with the authentication method itself.
If you wish to use a YubiKey, you can purchase one from the Yubico store.
In the log in box on our home page:
For even speedier log in, you can skip step 2: just leave the cursor at the end of the password field after you've finished typing your password and add your OTP code on the end.
You should create a different "Regular" password on the
Alternative logins screen for each device you wish to use. Again, it should be long and random, as there's no need to remember it; it should just be remembered by the device itself. If your device gets lost, stolen or otherwise compromised, you can revoke access for that password from the
Alternative logins screen.
Presuming your master password is sufficiently long and truly random (and given you don't need to remember it, there's no reason it can't be), there's no way someone will be able to just guess it, even if they try many, many different versions a second (which would soon get stopped by our rate-limiting anyway).
The whole point of 2FA is that if someone manages to steal your normal password through phishing or malware, they still can't use it to log in to your account without the 2nd factor. Since you never use the master password day-to-day, this can never be stolen. Most sites generate a "backup code" for you automatically to recover from a lost 2nd factor, just like the master password works at FastMail.
When you set up your TOTP alternative login, FastMail creates a secret code based on your username, the current time and some other random data. You import this into Google Authenticator (or other TOTP app) using the provided QR code or by entering the code manually.
Every thirty seconds, your app combines this secret key with the current time to produce a six-digit number. When you enter this number into the password field to log in, FastMail uses the secret code and its own concept of the current time to produce its own six-digit number. If your number matches ours (and the base password also matches), your login is successful.
This requires that your app and our servers have their clocks in sync. Because our servers synchronise times from the same global source that most mobile network operators use to set the time on mobile devices, it's quite rare for clocks to fall significantly out of sync. We have taken some measures to adjust for small differences in time between your authenticator app and our servers, so in practice the OTP code generated will be valid for about 90 seconds.
A YubiKey is a small USB device that generates single-use passwords. It doesn't need any client software: you just plug it into a USB port and it acts like a USB keyboard. It has one button on it, that when you press generates a new one-time 44 character password. It works like this:
It generates the one-time code by:
The internal values that are joined and encrypted include:
At FastMail, we get the 44-char code. We check that the first 12 characters correspond with the YubiKey you've registered with your account, then we send the code on to the Yubico servers. Since they have the shared private key, they can decrypt the values and check to make sure they are valid (e.g. counters are all higher than their previous values, the checksum is valid, etc).
Yes, absolutely! Whilst secure and very flexible, our alternative logins system was created a long time ago and is quite convoluted. We intend to replace it with a much easier, and more usual, 2FA setup later this year.