Do FTP and WebDAV no longer work with the master password?

[Prognathous]

I keep getting errors when I try to configure FTP and WebDAV clients...

Thanks!

[n5bb]

You now can only use your master password for web access and the Fastmail-provided mobile clients.

• All applications (non-Fastmail email clients, FTP, etc.) now use the new server names and require an application password created for that specific device.
• Alternate passwords are no longer available.
• The only way to use Fastmail services using your master password (without an application password) is for web access or the iOS/Android mobile Fastmail-provided email clients. Two-factor authentication is encouraged, which can allow you to enable access for a specific computer using a two-factor scheme initially. You don't have to use the two-factor system upon each login unless you don't allow that PC to be remembered.

https://blog.fastmail.com/2016/07/25...rity-features/

More information is available in the Fastmail help system:
https://www.fastmail.com/help/accoun...roubleshooting

Bill

[Prognathous]

Thanks for clarifying this Bill. Application passwords indeed works. Too bad they're impossible to remember and that there's no way to view or edit them. I guess convenience was not a factor in this change.

[BritTim]

What you describe is not my precise understanding, and connections using dav.messagingengine.com and ftp.messagingengine.com with the master password still work, I believe, unless you enable two-factor authentication for web sign-in.

Changing to the new server names, and application passwords, is a good idea for security reasons, but I do not think it is compulsory.

[Prognathous]

I have two-factor authentication disabled, yet the FTP and WebDAV clients failed to work with my Master password.

[BritTim]

Quote:

Originally Posted by Prognathous

I have two-factor authentication disabled, yet the FTP and WebDAV clients failed to work with my Master password.

What server names were you using?

[Prognathous]

The new ones (based on fastmail.com instead of messagingengine.com).

[BritTim]

Quote:

Originally Posted by Prognathous

The new ones (based on fastmail.com instead of messagingengine.com).

When you use the new server names, application passwords are required. If you want to use the master password, you need to use the old server names. These still allow use of the master password so as not to break existing setups.

[n5bb]

Quote:

Originally Posted by BritTim

When you use the new server names, application passwords are required. If you want to use the master password, you need to use the old server names. These still allow use of the master password so as not to break existing setups.

It's been exactly two months since the first changes, so we need to be prepared for the full changes described in the Fastmail help system. We don't know how to interpret "gradually" in this blog post from July 18 (nearly 10 weeks ago):

Quote:

Any devices you already have set up will continue to work just fine with your regular FastMail password. We will gradually help existing customers to upgrade to the new system for all apps over the coming months, but there will be no change immediately. If you set up the new two-step verification however, you will need to update your apps immediately with an app password, as third-party apps do not currently support two-step verification.

I have updated all my accounts to two factor authentication, so I can't test the old server names with my accounts.

Bill

[placebo]

Quote:

Originally Posted by Prognathous

Thanks for clarifying this Bill. Application passwords indeed works. Too bad they're impossible to remember and that there's no way to view or edit them. I guess convenience was not a factor in this change.

They're not intended to be reused or remembered by you. You're supposed to have the application remember the password.

[emoore]

What is the rationale for eventually requiring all customers to use a app password? This sounds like Fastmail is getting too focused on the needs of business and mobile customers.

I normally only read my mail using Thunderbird, at home. I occasionally read my mail using webmail or my smartphone when away from home. I don't have a calendar. I have no need for two factor authentication. This change means I'm going to have to deal with at least three, possibly four passwords, and is going to make it harder to troubleshoot when something goes wrong.

[n5bb]

Quote:

Originally Posted by emoore

What is the rationale for eventually requiring all customers to use a app password? ....

You always have a choice on how you want to use passwords.

• You can choose to enter a password (and optionally a second factor from a mobile phone when using webmail) every time you access Fastmail.
• Or you can choose to store the password in the application. In Thunderbird you can add a master password which requires you to enter that one password to enable all stored passwords to be used to log into email accounts.

The big advantage of application passwords is that they can't be used to log in via the web. You can choose to limit access to just email, calendar data, or contacts. If you lose a PC or other device, you can quickly log in to the web interface and remove the password(s) used on that device without changing all of your passwords. See:
https://www.fastmail.com/help/clients/apppassword.html

So here is how I now use Fastmail:

• I normally log into the Fastmail website from a laptop PC (when I have that PC and can easily set it up). I have allowed Fastmail to treat this as a trusted computer. This means that I can log into Fastmail without using two-factor authentication. All I need to do is to use by normal Windows login and I can get into Fastmail without entering any passwords.
• But I can not log into the Fastmail website from any other PC without using both my master password and using the Authenticator time-limited app on my iPhone to generate the second factor.
• If I lose my master password, I can use the Recovery Code for my account or the recovery address or phone SMS.
• On my iPad and iPhone I use the Fastmail app. I don't need to remember any password, but I can't change any passwords on my account from the Fastmail app without use of the master password. I do require codes to access each of these devices.
• I can use Thunderbird and Outlook via IMAP and SMTP using application passwords. After the initial setup I don't need to enter these passwords.
• On my iPad and iPhone I can get calendar access using an application password.

The advantage of this system is that I can use all of my devices on Fastmail without remembering any passwords. I rely on physical access security and device access codes to keep anyone from easily accessing my account. If anyone was able to guess or steal my master password they couldn't use it, since they would also have to get access to my mobile phone and know how to use the authenticator. And each application (Thunderbird, Outlook) or device (iPad, iPhone) has a separate application password, which adds security.

Bill