EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 3 Jan 2017, 02:19 AM   #1
edu
Member
 
Join Date: Jun 2016
Posts: 75
SMS as 2FA yet?

Question: Is it active yet or dissapeared?. In case someone lose the smartphone and is not using pendrives or other devices with 2FA.
Thanks.
edu is offline   Reply With Quote

Old 3 Jan 2017, 03:40 AM   #2
jhollington
Essential Contributor
 
Join Date: Apr 2008
Posts: 232
It disappeared as part of FastMail's rollout of the new 2FA system last summer, and I'd guess that it's probably not coming back.... A post here by brong from the FastMail team suggests that it's pretty much known to be "awful for security" as well as reliability/deliverability.
jhollington is offline   Reply With Quote
Old 3 Jan 2017, 09:36 AM   #3
rnkn
Member
 
Join Date: Nov 2013
Posts: 32
Trust in SMS is a quick path to having your identity stolen 🕵
rnkn is offline   Reply With Quote
Old 3 Jan 2017, 03:19 PM   #4
edu
Member
 
Join Date: Jun 2016
Posts: 75
Thank you both for your answers. Yes, I know itīs not safe, but itīs safer than nothing. So, if you are without a smartphone (or donīt want to use a smartphone anymore) and canīt use another device, then itīs better sms as 2FA than no 2FA. But I see that itīs not in FM anymore.
edu is offline   Reply With Quote
Old 3 Jan 2017, 06:04 PM   #5
rnkn
Member
 
Join Date: Nov 2013
Posts: 32
There are a few command line tools for generating time-based one-time passwords. There's no real magic to it, the codes are just generated from running a SHA1 algorithm on a secret string. A QR code is just a silly/inefficient way of communicating that secret string to an app, it's little different to copy/paste.

Have a google around and see what you're comfortable with using.
rnkn is offline   Reply With Quote
Old 3 Jan 2017, 06:48 PM   #6
Terry
The "e" in e-mail
 
Join Date: Jul 2002
Location: VK4
Posts: 2,328
Quote:
Originally Posted by rnkn View Post
Trust in SMS is a quick path to having your identity stolen 🕵
Why would you say that, Banks here in Australia use sms to send a log in account password and so do the Government, surly if it was unsafe they would use some other method?

I would say the reason f/m don't want to use sms is the cost and reliability of phone companies.
Terry is offline   Reply With Quote
Old 3 Jan 2017, 08:38 PM   #7
edu
Member
 
Join Date: Jun 2016
Posts: 75
Quote:
Originally Posted by rnkn View Post
There are a few command line tools for generating time-based one-time passwords. There's no real magic to it, the codes are just generated from running a SHA1 algorithm on a secret string. A QR code is just a silly/inefficient way of communicating that secret string to an app, it's little different to copy/paste.

Have a google around and see what you're comfortable with using.
Thank you. I thought FM was not supporting time-based one-time passwords anymore, or do you mean about another way to do it, can you tell me more?.
edu is offline   Reply With Quote
Old 3 Jan 2017, 08:39 PM   #8
edu
Member
 
Join Date: Jun 2016
Posts: 75
Quote:
Originally Posted by Terry View Post
Why would you say that, Banks here in Australia use sms to send a log in account password and so do the Government, surly if it was unsafe they would use some other method?

I would say the reason f/m don't want to use sms is the cost and reliability of phone companies.
I read about it too, itīs easier to intercept sms in smartphones than using an OTP app, I posted it some time ago: http://emaildiscussions.com/showthread.php?t=71964
edu is offline   Reply With Quote
Old 3 Jan 2017, 10:55 PM   #9
jhollington
Essential Contributor
 
Join Date: Apr 2008
Posts: 232
Quote:
Originally Posted by edu View Post
Thank you. I thought FM was not supporting time-based one-time passwords anymore, or do you mean about another way to do it, can you tell me more?.
FastMail still supports time-based one-time passwords as part of its new two-factor authentication system, but unlike the old "alternative logins" feature, these don't replace your FastMail password, but rather supplement it (hence the "two-factor" aspect).

The new 2FA system also supports only TOTP now for one-time passwords — either via a TOTP app like Google Authenticator or a Yubikey OTP device; the old static OTP lists that you could print are no more. Alternatively, you can also use the even more secure U2F method, assuming you have a U2F device and are using a browser (Google Chrome) that supports U2F.

To be fair, though, I also sort of lied about SMS not being available — FastMail does provide SMS authentication as a backup situation in the event that you don't have access to your TOTP device or U2F key, but it's clearly intended to be more of a backup/recovery method than a primary authentication method, but technically speaking, it does work in about the same way; I think FastMail just makes it a "backup" method to steer people toward the more effective TOTP/U2F system.

You can get an SMS code when logging in by clicking the Send a code to your backup phone number link at the bottom of the second-factor screen (this of course assumes you've added your phone number in the "Account Recovery" section in your FastMail "Password & Security" preferences.
jhollington is offline   Reply With Quote
Old 3 Jan 2017, 11:02 PM   #10
jhollington
Essential Contributor
 
Join Date: Apr 2008
Posts: 232
Quote:
Originally Posted by Terry View Post
Why would you say that, Banks here in Australia use sms to send a log in account password and so do the Government, surly if it was unsafe they would use some other method?
Well, it's not about it being "unsafe" so much as "not as safe" as other methods. I think the problem is that for a lot of public organizations like banks and Government agencies, SMS is the "least common denominator." It's not about security in that sense so much as convenience, and as others have pointed out, it's also better than not using a second factor at all.

The reality is that you're not going to get the vast majority of average users (probably 90% of the bank/Government user base) to fiddle with TOTP apps or buy U2F keys, so you're left with having to lower your security standards to the very lowest solution that pretty much every one of your clients has access to, and of course that's SMS, since almost everyone has a mobile phone these days.

Again, better than not having a second factor at all, and a big part of any security model is buy-in and usability from the user base. Security that nobody is going to use is no better than no security at all.
jhollington is offline   Reply With Quote
Old 3 Jan 2017, 11:48 PM   #11
edu
Member
 
Join Date: Jun 2016
Posts: 75
Thank you very much!, doubt resolved

Quote:
Originally Posted by jhollington View Post
FastMail still supports time-based one-time passwords as part of its new two-factor authentication system, but unlike the old "alternative logins" feature, these don't replace your FastMail password, but rather supplement it (hence the "two-factor" aspect).

The new 2FA system also supports only TOTP now for one-time passwords — either via a TOTP app like Google Authenticator or a Yubikey OTP device; the old static OTP lists that you could print are no more. Alternatively, you can also use the even more secure U2F method, assuming you have a U2F device and are using a browser (Google Chrome) that supports U2F.

To be fair, though, I also sort of lied about SMS not being available — FastMail does provide SMS authentication as a backup situation in the event that you don't have access to your TOTP device or U2F key, but it's clearly intended to be more of a backup/recovery method than a primary authentication method, but technically speaking, it does work in about the same way; I think FastMail just makes it a "backup" method to steer people toward the more effective TOTP/U2F system.

You can get an SMS code when logging in by clicking the Send a code to your backup phone number link at the bottom of the second-factor screen (this of course assumes you've added your phone number in the "Account Recovery" section in your FastMail "Password & Security" preferences.
edu is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 05:31 PM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy