"If you're currently using our "alternate logins" system, you will need to migrate to the new system sometime in the next month. We will be removing all old-style "alternate logins" on 31st August."

What does this mean for the other types of alternate logins, such as OTP?

OTP set, 1-hour OTP/SMS and Yubikey one-factor are being removed. They will no longer work from release on Monday.

Why do you keep changing things, is the extra security really needed or is it just to make it harder to use the old UI

I am not a fan of change without good reasons. I support this set of changes. It is a fact that security on the Internet is becoming ever more of a challenge. We need the best possible tools to respond to this.

Perhaps it's to drive another nail in the classic UI coffin.:D:D:D
'
We are getting so many changes and I really don't like many of them so I am now about to try something else, but if I don't like it I have only lost $40

No reason why not. TOTP is an IETF standard FastMail will continue supporting (post #23 above).

Glad you asked the question, I wasn't aware of FreeOTP. I've installed it on my Android devices.

https://play.google.com/store/apps/d...hosted.freeotp

Which Yubikey
 

I read the article on the new 2FA - I am looking at getting a yubikey specifically one with NFC - but I am confused about which one is appropriate. The article mentions the OLD yubikey and has a link to yubico which takes you to a page showing the NEW yubikeys
(The article also only gives a link to twitter to follow the discussion - and no mention of this forum)
Anyway I´d appreciate any assistance on this

Before U2F was available, YubiKeys supported an older OTP mechanism. If you have an old key, they won't support U2F but can still be used with FastMail because we implement the OTP mechanism.

If you're buying a new YubiKey, they all support both mechanisms, and we recommend using the U2F mode because its more secure.

I currently have:
password I can't remember (it's in my password manager, only accessible from my local computer)
password I can remember that requires 2fa (totp on phone)
password I can remember that requires an otp from a list I have printed out

So now if I want to be able to login when I don't have my phone, I will have to change my password to something I can remember and disable 2FA?

That doesn't sound "even more secure".

Wait, I thought we had until 31-Aug-2016 to transition our Alternative Logins to the new authentication mechanism.

For the types that are serviceable through the new login system, yes. That's SMS, TOTP, YubiKey OTP and regular password. The other types have no mapping in the new system so aren't supported.

The small number of users using these login types should be receiving an email about it. I'm not sure where that's at; I'll chase it up tomorrow.

Thanks for the clarification, Rob. I had used a paper printout of OTP tokens as a backup for OTP login, but I so rarely use it that I won't miss it. (You might remember me flashing it your way briefly when we met at OSCON last year.)

So, I just went ahead and disposed of the sheet and deleted the alternate login. The login methods now remaining in my account should map over OK, so I can take my time converting over these next few weeks.

Will this affect Pobox users/accounts?

Today's Fastmail blog - an important read:

https://blog.fastmail.com/2016/07/21...-reset-secure/

No. All authentication for Pobox accounts is owned and managed by Pobox. Mailstore customers will be login at www.fastmail.com like they can now, including using their TOTP or YubiKey, but everything else is done through at pobox.com.