EmailDiscussions.com - View Single Post - New features to keep your FastMail account even more secure

paul29 · 12 Oct 2016, 01:03 PM

I've been meaning to post about this for quite a while but the new system really seems to be a security downgrade for some perfectly good use cases.

First, as others have mentioned, SMS is no longer considered a secure authentication channel. So Fastmail's suggestion of registering a phone number for purposes of password reset just opens an attack vector. Anyone who finds out the phone number can request a reset, intercept the incoming SMS message, and pwn my Fastmail account. SMS is useless and enrolling a phone number sounds like a bad idea.

TOTP is reasonable except that the smartphones running most TOTP apps are themselves bundles of malware (I don't use a smartphone and hopefully never will). The Yubikey is yet another electronic gadget containing secrets, and requires a USB port, something absent from many devices like tablets and phones. Also it claims to implement TOTP but I don't see any evidence that it has a hardware RTC (e.g. the nano version looks too small to have a battery inside). If it's getting the time from a remote server, it can be fooled into giving a future authentication code, and (if it requires the remotely supplied times to increase monotonically) it can be bricked by a malicious remote server. Plus it's expensive.

The old, printed OTP system worked really well. 99% of the time I use Fastmail from my personal laptop with hopefully ok security, logging in with a password. The other 1% is from totally untrusted devices: e.g. I'm travelling and need to check a message from a kiosk, somebody's phone, or something like that. The printed OTP was great for that. I never had to give up a re-usable secret. Yubikey (if I were willing to buy it) often wouldn't work in that situation (USB....) and it would only be usable as a second factor one time. Because the master password must be considered compromised as soon as you enter it in an untrusted device, the only factor left is the Yubikey or TOTP, which means you're back to 1-factor authentication.

The printed OTP was also good because I don't like travelling with electronics due to airport security, customs, etc. liking to examine the contents. The printed OTP on a slip of paper (Post-it sized) is much less likely to get examined, and before check-in for a return flight I could rip it up and throw it away, removing the possibility of interception. No way I want to do that with a $50 yubikey or a smart phone.

I tried to concoct some scheme with app passwords where the application would auto-disable its own password after being used once, but that seems to require the master password.

The security page seems to allude to a challenge-response scheme in the Fastmail mobile app. Is that documented so I can implement it in my own app? (That app would run on a server since I don't use mobiles).

Another idea is to have an automated IMAP client with an app password pulling my email off of Fastmail every few minutes, but if I'm reading mail from my own server, Fastmail isn't doing that much for me.

Most of all I'm bothered by Fastmail calling something a security improvement when it's actually a regression. When they got rid of SMS they straightforwardly said it wasn't worth supporting any more, which was ok (except maybe for Premier account holders who had paid for a lot of SMS expecting to use it). They didn't say "we've increased our capabilities by getting rid of SMS".

Anyway I guess I'll research how the 2-factor stuff works. TOTP is very simple but I don't know about U2F and so on.

12 Oct 2016, 01:03 PM	#280
paul29 Senior Member Join Date: Apr 2014 Posts: 166	I've been meaning to post about this for quite a while but the new system really seems to be a security downgrade for some perfectly good use cases. First, as others have mentioned, SMS is no longer considered a secure authentication channel. So Fastmail's suggestion of registering a phone number for purposes of password reset just opens an attack vector. Anyone who finds out the phone number can request a reset, intercept the incoming SMS message, and pwn my Fastmail account. SMS is useless and enrolling a phone number sounds like a bad idea. TOTP is reasonable except that the smartphones running most TOTP apps are themselves bundles of malware (I don't use a smartphone and hopefully never will). The Yubikey is yet another electronic gadget containing secrets, and requires a USB port, something absent from many devices like tablets and phones. Also it claims to implement TOTP but I don't see any evidence that it has a hardware RTC (e.g. the nano version looks too small to have a battery inside). If it's getting the time from a remote server, it can be fooled into giving a future authentication code, and (if it requires the remotely supplied times to increase monotonically) it can be bricked by a malicious remote server. Plus it's expensive. The old, printed OTP system worked really well. 99% of the time I use Fastmail from my personal laptop with hopefully ok security, logging in with a password. The other 1% is from totally untrusted devices: e.g. I'm travelling and need to check a message from a kiosk, somebody's phone, or something like that. The printed OTP was great for that. I never had to give up a re-usable secret. Yubikey (if I were willing to buy it) often wouldn't work in that situation (USB....) and it would only be usable as a second factor one time. Because the master password must be considered compromised as soon as you enter it in an untrusted device, the only factor left is the Yubikey or TOTP, which means you're back to 1-factor authentication. The printed OTP was also good because I don't like travelling with electronics due to airport security, customs, etc. liking to examine the contents. The printed OTP on a slip of paper (Post-it sized) is much less likely to get examined, and before check-in for a return flight I could rip it up and throw it away, removing the possibility of interception. No way I want to do that with a $50 yubikey or a smart phone. I tried to concoct some scheme with app passwords where the application would auto-disable its own password after being used once, but that seems to require the master password. The security page seems to allude to a challenge-response scheme in the Fastmail mobile app. Is that documented so I can implement it in my own app? (That app would run on a server since I don't use mobiles). Another idea is to have an automated IMAP client with an app password pulling my email off of Fastmail every few minutes, but if I'm reading mail from my own server, Fastmail isn't doing that much for me. Most of all I'm bothered by Fastmail calling something a security improvement when it's actually a regression. When they got rid of SMS they straightforwardly said it wasn't worth supporting any more, which was ok (except maybe for Premier account holders who had paid for a lot of SMS expecting to use it). They didn't say "we've increased our capabilities by getting rid of SMS". Anyway I guess I'll research how the 2-factor stuff works. TOTP is very simple but I don't know about U2F and so on. Last edited by paul29 : 12 Oct 2016 at 04:01 PM.