2-factor authentication (2FA) increases the security of your account by requiring something you have to be paired with something you know in order to log in to your account. We support 2FA with either OATH TOTP (Google Authenticator) or a YubiKey.
There are several good (and free) OATH TOTP apps available for most phones. We recommend:
If you have another type of phone, you may still be able to use TOTP. Any app that claims to support the Time-based One-Time Password (TOTP) algorithm from the Initiative for Open Authentication (OATH) as specified in RFC 6238 should work.
Note: Neither the Google Authenticator app nor our server implementation is specific to Google in any way, nor does it ever communicate with Google systems as part of its operation (or with any other systems for that matter). "Google Authenticator" is the name of Google's TOTP app, which has become synonymous with the authentication method itself.
If you wish to use a YubiKey, you can purchase one from the Yubico store.
In the log in box on our home page:
For even speedier log in, you can skip step 2: just leave the cursor at the end of the password field after you've finished typing your password and add your OTP code on the end.
You should create a different "Regular" password on the
Alternative logins screen for each device you wish to use. Again, it should be long and random, as there's no need to remember it; it should just be remembered by the device itself. If your device gets lost, stolen or otherwise compromised, you can revoke access for that password from the
Alternative logins screen.
In an ideal world, all passwords would be a secret, known only to yourself. However the more a password is used, the more vulnerable it is to being exposed to malicious attackers. They might try to steal it (through phishing or malware/spyware), or guess it (through brute force repeated dictionary attacks).
The point of 2FA is that if someone does manage to steal your normal password, they still can't use it to log into your account without the 2nd factor. So it remains safe.
But what about your master password? It doesn't have a 2nd factor, it's higher risk right? Yes, but since you don't use your master password day-to-day, it can't be stolen. Ideally it can't be guessed either, because you've made your master password long and truly random (you don't use it often so you don't need to make it easy to remember). Long and truly random passwords are very difficult to guess: even if an attacker tries many many different combinations a second, they will be stopped by our rate-limiting before they discover the password.
Now you're using 2FA, your normal high-usage password is safe and secure. Why then do we use a master password at all?
Even with 2FA, the problem remains on what to do if you lose one of your factors: you have to have some form of account recovery. There's a number of options for this, like security questions or backup codes. But these are really just back doors to your account. Backup codes are common: Google uses backup codes, as does Wordpress.
We're not particular fans of this, but realistically people need some way back into their account that can't be social engineered.
So for now, we've left it that you leave a standard master password on your account. You can make that as long and complex as you want, and you can write it down and file it away for that day your phone/yubikey is stolen. Because it's not in general use, not entered into any keyboard in general, not stored in any software, it's at extremely unlikely to be stolen.
Having said all that, we are working on a true 2FA system with proper recovery, but it's hard to get right, because we want to make sure that any recovery mechanism requires 2 factors as well, but is still easy for the true account holder to verify themselves.
When you set up your TOTP alternative login, FastMail creates a secret code based on your username, the current time and some other random data. You import this into Google Authenticator (or other TOTP app) using the provided QR code or by entering the code manually.
Every thirty seconds, your app combines this secret key with the current time to produce a six-digit number. When you enter this number into the password field to log in, FastMail uses the secret code and its own concept of the current time to produce its own six-digit number. If your number matches ours (and the base password also matches), your login is successful.
This requires that your app and our servers have their clocks in sync. Because our servers synchronise times from the same global source that most mobile network operators use to set the time on mobile devices, it's quite rare for clocks to fall significantly out of sync. We have taken some measures to adjust for small differences in time between your authenticator app and our servers, so in practice the OTP code generated will be valid for about 90 seconds.
A YubiKey is a small USB device that generates single-use passwords. It doesn't need any client software: you just plug it into a USB port and it acts like a USB keyboard. It has one button on it, that when you press generates a new one-time 44 character password. It works like this:
It generates the one-time code by:
The internal values that are joined and encrypted include:
At FastMail, we get the 44-char code. We check that the first 12 characters correspond with the YubiKey you've registered with your account, then we send the code on to the Yubico servers. Since they have the shared private key, they can decrypt the values and check to make sure they are valid (e.g. counters are all higher than their previous values, the checksum is valid, etc).
Yes, absolutely! Whilst secure and very flexible, our alternative logins system was created a long time ago and is quite convoluted. We intend to replace it with a much easier, and more usual, 2FA setup later this year.