FastMail allows you to log in to your account using alternative login methods in addition to your "master password". The five main alternatives are:
Additionally, you can allow full access, or only restricted. With restricted access, you can only log in to the web interface or FTP, not use IMAP/SMTP etc. You also can't permanently delete anything and you have no access to settings. Restricted access shouldn't be considered an entire security solution. It's a best effort feature, but we don't audit it regularly as new features are added or modified
Regardless of the access restrictions, you still require your master password to access the Settings → Password & Security → Alternative Logins screen, change your master password, or change your backup email address.
You can revoke access for any alternate logins you create by clicking the Del link for that login on the Alternate Logins screen.
Note: The Settings → Password & Security → Alternative Logins screen will not appear when you log in to your account using an alternative login. You can only gain access when you are logged in with your master password.
When you create a one-time password set, a page with 100 randomly generated passwords is presented for printing. You must print it before leaving the page, because it's not cached and you can't view the passwords again. You can use these passwords in any order, but each one can only be used once.
If you provide an optional "Base Password" then it must be prefixed to each one-time password as you log in. For example:
Also, if you have a Base Password, you can enter it by itself to find out the number of the lowest unused one-time password from the set (handy if you haven't been crossing them out).
You can only use one-time passwords for web and FTP access (not DAV, as it requires the same password be used multiple times).
To use SMS Passwords, you must first have a mobile/cell number defined on your default identity, and you must also purchase sufficient SMS credits via the Advanced → Purchase SMS Credits screen.
You are required to enter a Base Password to create a SMS Password set, because you'll need it to be sent an SMS. To get a new password SMSed to you, enter your username and the Base Password only. When you get the password SMSed, enter it after the Base Password as in the one-time password system:
You must use an SMSed password within 24 hours or it expires. You can only use SMSed passwords for web and FTP access (not DAV, as it requires the same password be used multiple times).
Regular passwords are just the value that you enter for Base Password. They work for all services if full access is granted (otherwise just web and FTP).
Regular additional passwords are equivalent to your Master Password except that they can't be used to change backup email or passwords.
Rather than being a "single use" password like the first two options, these passwords can be used multiple times, making them suitable for DAV, IMAP or SMTP.
Note: You must set "Full Access" or you will be restricted to FTP and the web interface only, because they are the only services with access control built in.
The first time you log in, a hard expiry time of 1 hour in the future is set — so if you log in once, then log in again 50 minutes later, the last session only has 10 minutes before it times out.
SMSed 1-hour passwords both also must be used within 24 hours from being sent (and for implementation reasons, the 24 hours is until the end, so if you use them after 23 1/2 hours you will only get half an hour of use!)
FastMail supports using a YubiKey to log in to your account via the web interface. This can either be used as a one-factor (YubiKey only) or two-factor (YubiKey and password) login method.
Currently we authenticate against the Yubico online web service rather than our own validation server. This means that by default your YubiKey should work "out of the box" with the AES key that was in it when it was shipped.
For more details on YubiKey logins, please refer to our 2-factor authentication help page.
FastMail supports using a Google Authenticator client (or more generally, an OATH TOTP client) to log in to your account via the web interface. For more details, please refer to our 2-factor authentication help page.
If you'd like to fully disable IMAP or POP access to your account, you can do so at the bottom of the alternate logins screen. Note that FastMail will still pull mail from your external accounts via POP account links, it's just no external clients will be able to access your mail via IMAP and/or POP login.