Copyright © 1999–2016 FastMail Pty Ltd
FastMail security upgrade
FastMail is always looking for ways we can help you keep your account secure. On 25th July 2016, we upgraded how you log in to our system from your devices, whether that's via a browser, a phone, your desktop computer or a tablet.
Unless you are using our "alternative logins" system, there is no immediate change to your account. The features are active, but you can choose a time convenient for you to upgrade your account security.
- All alternative logins were discontinued on August 31st, 2016.
- New, easier to use two-step verification (also known as 2FA).
- If enabled, you must use two-step verification to log in from your web browser, or FastMail mobile app.
- If enabled, you also must use app passwords from your third-party clients.
- Control access to your FastMail account from a non-FastMail client (a mail program on your desktop, or an app on your phone) via an app password.
- App passwords can be locked down to only access the data you choose: calendaring programs no longer get access to your mail or settings.
- App passwords can't be used to login to the web interface or the FastMail mobile app, so they can't be used to alter your account settings.
- Use of app passwords is optional unless you have enabled two-step verification/2FA.
- New server names to support the new functionality.
- Lost your password, or you think your account has been compromised? Our new account recovery tool (coming soon!) makes it easier to regain access to your account.
How do I use the new security features?
You do not need to upgrade straight away. All existing logins will continue to work for some time, but we will gradually migrate users to the new system as we encourage the use of the new security for everyone.
All new security features can be viewed and configured on the Password & Security screen. You will need to type in your password at the top and unlock the screen to make any changes.
We strongly encourage you to set up two-step verification, for logging in over web browser or through the FastMail mobile app. You can have multiple devices configured, whether it's an app on your phone or a dedicated security key.
Even if you don't usually use the web interface, attackers do. Configure 2FA to stop them from gaining access.
Note for users of our old "classic" interface: To configure the new security features you will need to log in to our normal interface. Only TOTP and Yubico OTP are supported with the classic interface; you cannot use SMS or U2F to log in.
If you use any non-FastMail clients to access your FastMail account, you can upgrade your security by reconfiguring them with an app password. We have detailed guides on how to set up your client. Please be aware we have new server names to support the new features.
We recommend deleting your current account in your client, and then creating it again following the instructions. This will result in your client downloading your messages again, so it is best done over wifi, not mobile data.
The FastMail mobile app does not need an app password: it works with your two-step verification settings.
Add your mobile phone number(s) and backup email address to the recovery options on the Password & Security screen. If you get locked out, we can use this to help verify your identity and restore access to your account.
As always, we take your privacy very seriously and will only ever use these details to keep your account secure. We never share them with anyone else.
Please regularly review these recovery accounts to make sure they're still current.
Summary of new server names
|Service||Old server||New server|
|Incoming mail||mail.messagingengine.com||imap.fastmail.com |
(note no path prefix)
|Contacts access (CardDAV)||carddav.messagingengine.com||carddav.fastmail.com|
|Contacts access (LDAP)||ldap.messagingengine.com||ldap.fastmail.com|
|Incoming mail (POP)||mail.messagingengine.com||pop.fastmail.com|
|File access (FTP)||ftp.messagingengine.com||ftp.fastmail.com|
|File access (WebDAV)||dav.messagingengine.com||webdav.fastmail.com|
Common issues reported with the new features.
Can't log in via FastMail mobile app
You don't need to use an app password: regular password works with your existing two-step verification configuration. On a mobile device, as you can't use a security key, this means using an authentication app.
If it still doesn't work, we recommend you uninstall the app and reinstall from the app store.
Can't log in via non-FastMail clients
Many apps are still auto-discovering our old servers when you add your account profile. Once you've added your account profile, check the settings (it may be found under "manual config") and make sure it's using the new server settings, not the old messagingengine.com servers.
Push unavailable on iOS
This issue tends to surface just after setting up a new profile/updating a profile. Push actually is available. You may need to force-quit the mail app, and/or force-quit the iOS settings app in order to encourage it to recognise how push-y we really are.
New 2FA isn't working, but my old 2FA still works
The most common reason for this problem is using a base password (which belongs with your original 2FA configuration) instead of your master password.
Not sure which is which? Your master password unlocks the settings on the Password & Security screen. Your base password is ineffective.
With the old two-step verification, you could use your base password with your 2FA to let you log in or you could use the master password on its own. The new two-step verification requires that you always use your master password with your verification key or authentication code; the base password is not used.
I want to remove my alternative logins
With alternative logins being removed on August 31st, 2016, now is the time to remove them and consider migrating to the upgraded authentication options.
The link for alternative logins is at the bottom of the Password & Security screen in the web interface.
If you see the error message "Screen is only available to master login", it means you are currently using an alternative login. Check you know what your master password is by using it to unlock the settings on the Password screen, then log out of your current session and log back in with your master password. The alternative login screen will now be accessible.
I never received the verification code via SMS for my recovery phone
Our SMS support is provided by Twilio and there are a few carriers around the world they don't yet integrate with (Along with the 1000 or so that they do). Raise a ticket and our support team can help you get two-step verification set up without verifying your recovery phone.
You must set up a recovery backup email and print out or write down your recovery code if your recovery phone doesn't receive SMS from us, otherwise you won't be able to regain access to your account if you lose your two-step verification device.
If you're interested in reading more about why these changes were implemented and what they mean for you, our blog has a series on security: