Just received E-Mail message from Fastmail

Jacinto · 22 Jul 2016, 07:41 PM

Good day.

I just received the below message from Fastmail.

I've never set-up any "alternative logins."

Anything to worry about?

Thank you.

--
Jacinto

Quote:

This is an important notice about upcoming changes to how you log in to your FastMail account.

As discussed on our blog, on Monday, 25th July we’ll be launching a range of new security features to provide greater protection in making sure you, and only you, can access your FastMail account. This will replace our existing "alternative logins" system.

As a user of our existing "alternative logins" system, you will need to make a few changes. You can see all the alternative logins you currently have set up by going to: https://www.fastmail.com/go/altlogins.

Any alternative logins of the types "OTP (One Time Password) Set", "OTP 1hr Set", "SMS 1hr Password Sender" or "Yubikey Online (1 factor)" will stop working on Monday. Also, any "Google Authenticator (OATH TOTP)" alternative logins without a base password will also stop working on Monday.

All other alternative logins (types "SMS Password Sender", "Regular Password", "Yubikey Online + Password (2 factor)", or "Google Authenticator (OATH TOTP)" with a base password) will continue to work until 31st August. Please note, from Monday you will be asked for any second factor after submitting your username and password, rather than entering it on the initial login page appended to your password.

After 31st August, these alternative logins will also stop working.

On Monday, 25th July or as soon as possible after that, we recommend that you migrate to the new security system. You can do that by logging into your account using your master password, and from the main menu at the top left selecting the "Password & Security" screen. From there, you can set up recovery options for your account, enable two-step verification, and create app and protocol specific passwords to use with 3rd party apps.

Regards,

The FastMail Team

Jacinto · 22 Jul 2016, 08:06 PM

As instructed in the message, I logged-in here:

https://www.fastmail.com/go/altlogins

To my surprise, I had created an AL for one of my accounts (now deleted).

My passwords are long passwords containing lots of symbols and my accounts have never being compromised.

I'm afraid that if I start playing with passwords, etc., and lock myself out of an account, given Fastmail's lethargic Tech. Support, it could be days before I can get back in (especially with a weekend coming up).

We'll see.

--
Jacinto

Terry · 22 Jul 2016, 08:36 PM

I hate this part....

On Monday, 25th July or as soon as possible after that, we recommend that you migrate to the new security system. You can do that by logging into your account using your master password, and from the main menu at the top left selecting the "Password & Security" screen. From there, you can set up recovery options for your account, enable two-step verification, and create app and protocol specific passwords to use with 3rd party apps.

The system has worked well enough for the last 15 years....why change it now...

Do we really have to have the two-step verification?

FredOnline · 22 Jul 2016, 09:32 PM

Suggest this thread is merged with the main thread on the same subject.

nighthawk700 · 23 Jul 2016, 02:23 AM

Okay, so my kids have received this email message as well. I use a family account, and there are two logins to each kid's account. One is limited, the other is the full login. They only have the password for limited, that way I can control things like filtering. (I use it to make sure I get a copy of every email they send and receive to make sure nothing fishy is going on). Is that ability being taken away? I can't think of anything else security wise that is active in their accounts.

paleolith · 23 Jul 2016, 02:39 AM

Fred suggested moving this discussion to the main thread about the security changes. I agree with Fred.

Terry · 23 Jul 2016, 03:43 AM

I dont agree it covers a different subject

communicant · 23 Jul 2016, 06:21 AM

What about legacy Member and Guest accounts? A family member has one of those and has not received any sort of email about login requirement changes or anything else from Fastmail. Will some sort of 2FA login be required on that account next month, or is there only an option to add such a thing if desired? I hope it isn't mandatory, since the user of that account certainly has no need or wish for it. As I say, there has been no notification to that account. Can anyone advise me on this point?

akorvemaker · 23 Jul 2016, 06:48 AM

Quote:

Originally Posted by communicant

What about legacy Member and Guest accounts? A family member has one of those and has not received any sort of email about login requirement changes or anything else from Fastmail. Will some sort of 2FA login be required on that account next month, or is there only an option to add such a thing if desired? I hope it isn't mandatory, since the user of that account certainly has no need or wish for it. As I say, there has been no notification to that account. Can anyone advise me on this point?

I believe the only people who were emailed so far are those who have existing Alternative Logins set up. That would explain why your family member has not been emailed.

They aren't forcing everyone to enable 2FA. It will simply be an option for those who desire it.

BritTim · 23 Jul 2016, 09:09 AM

Quote:

Originally Posted by communicant

What about legacy Member and Guest accounts? A family member has one of those and has not received any sort of email about login requirement changes or anything else from Fastmail. Will some sort of 2FA login be required on that account next month, or is there only an option to add such a thing if desired? I hope it isn't mandatory, since the user of that account certainly has no need or wish for it. As I say, there has been no notification to that account. Can anyone advise me on this point?

As has always been true, those who do not care about security can continue to have a single account master password that they use everywhere with no second factor. This is true whether using legacy guest/member accounts, or any other type of account. My guess is that most casual email users will continue to do just that.

Terry · 23 Jul 2016, 01:09 PM

They need to hide the backup email address as currently it's being shown

kijinbear · 23 Jul 2016, 02:42 PM

I don't care about 2FA, because I rarely use the web interface and I don't use the Fastmail app.

What I do care about is giving a different password to each PC or mobile app that I do use, so that I can easily revoke access if necessary. No amount of 2FA is going to make my IMAP/SMTP sessions more secure. Alternative logins, on the other hand, serve this purpose very well.

According to the blog post, there will be some sort of "app password" feature to replace the way I'm using alternative logins. As of today, that feature is nowhere to be found. According to the notice, it may arrive some time after Monday.

And despite the fact that an app password would serve the same purpose as my current usage, I'll have to manual migrate all my alternative logins. FastMail managed to migrate all my rules to the new system, why can't they do the same with alternative logins?

FastMail: If you want to tell me to stop using a feature, that's okay, but don't send the notice until the replacement feature is ready to use.

Jacinto · 23 Jul 2016, 10:43 PM

Quote:

Originally Posted by akorvemaker

I believe the only people who were emailed so far are those who have existing Alternative Logins set up. That would explain why your family member has not been emailed.

. . .

I believe you are correct.

I only received the message of reference on the account that had a (long forgotten) AL.

--
Jacinto

Jacinto · 23 Jul 2016, 10:50 PM

Quote:

Originally Posted by BritTim

As has always been true, those who do not care about security can continue to have a single account master password that they use everywhere with no second factor. This is true whether using legacy guest/member accounts, or any other type of account. My guess is that most casual email users will continue to do just that.

Hello, BritTim.

I'm not a casual E-Mail user and am very concerned about security.

Having said that, I use long passwords with lots of non-alphanumeric characters and have never been hacked.

Two step logins are fine if that's what you like. I would prefer Fastmail allowed the use of pass phrases as well as passwords. Once you add-in empty spaces, you should be good-to-go as far as security is concerned.

--
Jacinto

Jacinto · 23 Jul 2016, 10:51 PM

Quote:

Originally Posted by kijinbear

. . .

FastMail: If you want to tell me to stop using a feature, that's okay, but don't send the notice until the replacement feature is ready to use.

Agreed.

--
Jacinto

22 Jul 2016, 08:36 PM	#3
Terry The "e" in e-mail Join Date: Jul 2002 Location: VK4 Posts: 3,028	I hate this part.... On Monday, 25th July or as soon as possible after that, we recommend that you migrate to the new security system. You can do that by logging into your account using your master password, and from the main menu at the top left selecting the "Password & Security" screen. From there, you can set up recovery options for your account, enable two-step verification, and create app and protocol specific passwords to use with 3rd party apps. The system has worked well enough for the last 15 years....why change it now... Do we really have to have the two-step verification? Last edited by Terry : 22 Jul 2016 at 08:44 PM.

22 Jul 2016, 09:32 PM	#4
FredOnline The "e" in e-mail Join Date: Apr 2011 Location: Manchester UK Posts: 2,616	Note to Moderators Suggest this thread is merged with the main thread on the same subject.

22 Jul 2016, 08:06 PM	#2
Jacinto Essential Contributor Join Date: Jun 2009 Posts: 395	As instructed in the message, I logged-in here: https://www.fastmail.com/go/altlogins To my surprise, I had created an AL for one of my accounts (now deleted). My passwords are long passwords containing lots of symbols and my accounts have never being compromised. I'm afraid that if I start playing with passwords, etc., and lock myself out of an account, given Fastmail's lethargic Tech. Support, it could be days before I can get back in (especially with a weekend coming up). We'll see. -- Jacinto

23 Jul 2016, 02:23 AM	#5
nighthawk700 Essential Contributor Join Date: Oct 2004 Location: Baltimore, MD Suburbs (US) Posts: 237	Okay, so my kids have received this email message as well. I use a family account, and there are two logins to each kid's account. One is limited, the other is the full login. They only have the password for limited, that way I can control things like filtering. (I use it to make sure I get a copy of every email they send and receive to make sure nothing fishy is going on). Is that ability being taken away? I can't think of anything else security wise that is active in their accounts.

23 Jul 2016, 02:39 AM	#6
paleolith Cornerstone of the Community Join Date: Mar 2002 Location: Florida Posts: 545	Fred suggested moving this discussion to the main thread about the security changes. I agree with Fred.

23 Jul 2016, 03:43 AM	#7
Terry The "e" in e-mail Join Date: Jul 2002 Location: VK4 Posts: 3,028	I dont agree it covers a different subject

23 Jul 2016, 06:21 AM	#8
communicant Cornerstone of the Community Join Date: Jul 2009 Posts: 879	What about legacy Member and Guest accounts? A family member has one of those and has not received any sort of email about login requirement changes or anything else from Fastmail. Will some sort of 2FA login be required on that account next month, or is there only an option to add such a thing if desired? I hope it isn't mandatory, since the user of that account certainly has no need or wish for it. As I say, there has been no notification to that account. Can anyone advise me on this point?

23 Jul 2016, 01:09 PM	#11
Terry The "e" in e-mail Join Date: Jul 2002 Location: VK4 Posts: 3,028	They need to hide the backup email address as currently it's being shown

23 Jul 2016, 02:42 PM	#12
kijinbear Cornerstone of the Community Join Date: Mar 2011 Location: ~$ Posts: 652	I don't care about 2FA, because I rarely use the web interface and I don't use the Fastmail app. What I do care about is giving a different password to each PC or mobile app that I do use, so that I can easily revoke access if necessary. No amount of 2FA is going to make my IMAP/SMTP sessions more secure. Alternative logins, on the other hand, serve this purpose very well. According to the blog post, there will be some sort of "app password" feature to replace the way I'm using alternative logins. As of today, that feature is nowhere to be found. According to the notice, it may arrive some time after Monday. And despite the fact that an app password would serve the same purpose as my current usage, I'll have to manual migrate all my alternative logins. FastMail managed to migrate all my rules to the new system, why can't they do the same with alternative logins? FastMail: If you want to tell me to stop using a feature, that's okay, but don't send the notice until the replacement feature is ready to use.