|
FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc. |
|
Thread Tools |
23 Jun 2020, 11:29 AM | #1 |
Cornerstone of the Community
Join Date: Jan 2003
Location: The Village
Posts: 616
|
New 2FA changes NOT welcome!
I do not like the changes to the 2FA login that have been rolled out very recently. I hope the people at FM realize that making many different choices of 2FA method easily available drastically reduces the security provided by 2FA! We usually consider having more choices a good thing, but in this case, more choices only helps the attacker.
The best security is offered by having only a single method available, and forcing the user to respond using that method. I realize this can sometimes cause trouble for less careful people who might, e.g., have their phone as their 2nd factor, and lose the phone, making it impossible to access their email for a while until it gets straightened out. I get this. I myself (I use Yubikeys normally) have once or twice had to rely on my phone for normal PC browser login because of not having any of my keys at hand. But the most troubling aspect of what was recently rolled out is that a new method, voice call, was added to what is now a very clear menu offering 3 different options for 2FA. This voice call thing was not there before, as far as I noticed. So now, someone trying to break into my account only needs to have access to my cell phone, to answer a voice call (which is possible without unlocking it). I never asked for this, and don't want it! I would even be willing to move to a system where only one method is offered, and if I don't have it, I'm SOL. I like that higher level of security. I would still need the auth app method for access from my FM phone app, but there's no reason that app access vs browser access cannot be distinguished. I suspect that this change was to "make things easier" for the Average l(U)ser, who is clueless about security and merely aggravated by anything that stands in his way when getting into email, but some of us really care about security! At the very least, you should make the menu of 2FA methods offered upon login settable in the settings, so that those of us who want more security can lock things down, and those who want more convenience can leave the defaults. Not cool, FM. As with so many other features, if you want defaults to be appealing to Average users, at least give us power users the chance to change the defaults, even if it's buried way down deep in the settings! Last edited by NumberSix : 23 Jun 2020 at 06:29 PM. |
23 Jun 2020, 12:04 PM | #2 | |
Essential Contributor
Join Date: May 2018
Posts: 478
|
Quote:
Last edited by xyzzy : 23 Jun 2020 at 12:11 PM. |
|
23 Jun 2020, 07:33 PM | #4 | |
The "e" in e-mail
Join Date: Oct 2002
Location: Holon, Israel.
Posts: 4,863
|
Quote:
I haven't seen anything like this in the security setup screen, and when I try to login I am only offered the alternative of sending an SMS code if I cannot use my Ubikey. (and this is offered only after I enter the correct password). I also understand that I can remove the SMS option by removing the backup phone number from my account, but I do need the SMS option sometimes. I wish there was another option: a printed list of one time passwords, like Google has, and like we had on FastMail before 2FA was introduced. |
|
23 Jun 2020, 07:36 PM | #5 |
Essential Contributor
Join Date: Oct 2008
Posts: 212
|
|
25 Jun 2020, 11:11 AM | #6 | |
Cornerstone of the Community
Join Date: Jan 2003
Location: The Village
Posts: 616
|
Quote:
Apparently this was only enabled on my account because I had my cell number recorded. And now, I can't remember why that was. I certainly wouldn't have given it to them unless there was a good reason, but can't remember now what the reason might have been (account recovery? but there are other ways to do that) I'll think about removing it. Even reduction in security aside, it's another step I have to click my mouse through! I used to go straight from hitting enter on my p/w, to pushing the button on the Yubikey, but now I have to click something else in between P.s. +1 for printed OTP lists. I used to use that as well. Last edited by NumberSix : 25 Jun 2020 at 11:26 AM. |
|
25 Jun 2020, 11:23 PM | #7 | |
Cornerstone of the Community
Join Date: Jun 2004
Location: Rupert, WV
Posts: 882
|
Quote:
As far as 'account security' goes (with me anyway ), I use KeePass for most of my usernames, passwords (or phrases), and the related URL. Some of those usernames and links, and all of the passwords, I don't even know. A good number of sites I have in that database I only have 'bookmarked' in KeePass, with that being the only link I will use to get to that site. With my email in particular, I only access it from my laptop, and so rarely from my phone that I have considered heavily on whether to delete the FM app and K-9 from it, because the space they use outweighs the benefit I get from having those programs installed. One 'new but not new anymore' FM feature I really like is individual app passwords and their 'permission settings'. That is similar to where in my web host OPS, I can create additional and unique FTP and MySQL usernames, passwords, and 'home dir' paths. - Bruce |
|
25 Jun 2020, 11:56 PM | #8 |
Essential Contributor
Join Date: Jan 2017
Posts: 280
|
How is it a reduction in security? If you don't like it then remove the number in the account recovery section of settings.
|
26 Jun 2020, 12:28 AM | #9 | |
Master of the @
Join Date: Feb 2017
Location: USA
Posts: 1,751
|
Quote:
|
|
26 Jun 2020, 06:24 AM | #10 |
Essential Contributor
Join Date: Jan 2017
Posts: 280
|
I meant: how is it a reduction in security when it's easily disabled.
|
26 Jun 2020, 07:46 AM | #11 |
The "e" in e-mail
Join Date: Oct 2002
Location: Holon, Israel.
Posts: 4,863
|
The problem is that there are two separate functionalities here that are tied together: one is disaster recovery: if you lose all access to your account, such as when someone steals it from you and changes the password, you can contact support by some other email, and they have something they can use to verify it is you, such as calling you and talking to you and asking you questions. Another is connecting daily to your mail. You may want to use your phone for only one of these, or use different phones (such as use your office landline for disaster recovery, and your mobile for 2FA. And you might want to use a phone just for one of the two.
|
26 Jun 2020, 08:02 AM | #12 | |
Cornerstone of the Community
Join Date: Jan 2003
Location: The Village
Posts: 616
|
Quote:
I would add, along these lines: I have an authenticator app registered for 2FA purposes that I use for the relatively rare times when I access from my phone using the FM app. However this 2FA method is always offered to me even when I'm logging in from a normal PC browser (it has been like that a long time, this is not part of the recent change). I would rather have them separated - having browser login limited only to hardware tokens, and the auth app used only for phone login. I realize this might bite me hard some day, when I really, really need to get into my email and don't have a token or my phone, but I'm a bit of a risk taker about such things , and like the idea of stricter security. It would be nice if we had a more granular ability to configure such things. |
|