EmailDiscussions.com  

Go Back   EmailDiscussions.com > Email Service Provider-specific Forums > FastMail Forum
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc.

Reply
 
Thread Tools
Old 23 Jun 2020, 11:29 AM   #1
NumberSix
Cornerstone of the Community
 
Join Date: Jan 2003
Location: The Village
Posts: 575
New 2FA changes NOT welcome!

I do not like the changes to the 2FA login that have been rolled out very recently. I hope the people at FM realize that making many different choices of 2FA method easily available drastically reduces the security provided by 2FA! We usually consider having more choices a good thing, but in this case, more choices only helps the attacker.

The best security is offered by having only a single method available, and forcing the user to respond using that method. I realize this can sometimes cause trouble for less careful people who might, e.g., have their phone as their 2nd factor, and lose the phone, making it impossible to access their email for a while until it gets straightened out. I get this. I myself (I use Yubikeys normally) have once or twice had to rely on my phone for normal PC browser login because of not having any of my keys at hand.

But the most troubling aspect of what was recently rolled out is that a new method, voice call, was added to what is now a very clear menu offering 3 different options for 2FA. This voice call thing was not there before, as far as I noticed. So now, someone trying to break into my account only needs to have access to my cell phone, to answer a voice call (which is possible without unlocking it).

I never asked for this, and don't want it! I would even be willing to move to a system where only one method is offered, and if I don't have it, I'm SOL. I like that higher level of security. I would still need the auth app method for access from my FM phone app, but there's no reason that app access vs browser access cannot be distinguished.

I suspect that this change was to "make things easier" for the Average l(U)ser, who is clueless about security and merely aggravated by anything that stands in his way when getting into email, but some of us really care about security! At the very least, you should make the menu of 2FA methods offered upon login settable in the settings, so that those of us who want more security can lock things down, and those who want more convenience can leave the defaults.

Not cool, FM. As with so many other features, if you want defaults to be appealing to Average users, at least give us power users the chance to change the defaults, even if it's buried way down deep in the settings!

Last edited by NumberSix : 23 Jun 2020 at 06:29 PM.
NumberSix is offline   Reply With Quote

Old 23 Jun 2020, 12:04 PM   #2
xyzzy
Essential Contributor
 
Join Date: May 2018
Posts: 280
Quote:
Originally Posted by NumberSix View Post
Not cool, FM. As with so many other features, if you want defaults to be appealing to Average users, at least give us power users the chance to change the defaults, even if it's buried way down deep in the settings!
Have you considered posting all that as a FM ticket?

Last edited by xyzzy : 23 Jun 2020 at 12:11 PM.
xyzzy is offline   Reply With Quote
Old 23 Jun 2020, 06:28 PM   #3
NumberSix
Cornerstone of the Community
 
Join Date: Jan 2003
Location: The Village
Posts: 575
Quote:
Originally Posted by xyzzy View Post
Have you considered posting all that as a FM ticket?
I will do that, but wanted to put it here as well.
NumberSix is offline   Reply With Quote
Old 23 Jun 2020, 07:33 PM   #4
hadaso
The "e" in e-mail
 
Join Date: Oct 2002
Location: Holon, Israel.
Posts: 4,540
Quote:
Originally Posted by NumberSix View Post
...a new method, voice call, was added to what is now a very clear menu offering 3 different options for 2FA. ...
Where do you see this?
I haven't seen anything like this in the security setup screen, and when I try to login I am only offered the alternative of sending an SMS code if I cannot use my Ubikey. (and this is offered only after I enter the correct password). I also understand that I can remove the SMS option by removing the backup phone number from my account, but I do need the SMS option sometimes.
I wish there was another option: a printed list of one time passwords, like Google has, and like we had on FastMail before 2FA was introduced.
hadaso is offline   Reply With Quote
Old 23 Jun 2020, 07:36 PM   #5
DumbGuy
Senior Member
 
Join Date: Oct 2008
Posts: 184
Quote:
Originally Posted by hadaso View Post
I wish there was another option: a printed list of one time passwords, like Google has, and like we had on FastMail before 2FA was introduced.

Agreed. I miss that option that FM used to offer.
DumbGuy is offline   Reply With Quote
Old 25 Jun 2020, 11:11 AM   #6
NumberSix
Cornerstone of the Community
 
Join Date: Jan 2003
Location: The Village
Posts: 575
Quote:
Originally Posted by hadaso View Post
Where do you see this?
I haven't seen anything like this in the security setup screen, and when I try to login I am only offered the alternative of sending an SMS code if I cannot use my Ubikey.
Maybe I mistook the SMS option for a voice call option. I still don't like it, though. In certain respects SMS may be more vulnerable than voice call, in others, less so.

Apparently this was only enabled on my account because I had my cell number recorded. And now, I can't remember why that was. I certainly wouldn't have given it to them unless there was a good reason, but can't remember now what the reason might have been (account recovery? but there are other ways to do that) I'll think about removing it.

Even reduction in security aside, it's another step I have to click my mouse through! I used to go straight from hitting enter on my p/w, to pushing the button on the Yubikey, but now I have to click something else in between

P.s. +1 for printed OTP lists. I used to use that as well.

Last edited by NumberSix : 25 Jun 2020 at 11:26 AM.
NumberSix is offline   Reply With Quote
Old 25 Jun 2020, 11:23 PM   #7
somdcomputerguy
Cornerstone of the Community
 
Join Date: Jun 2004
Location: Rupert, WV
Posts: 652
Quote:
Originally Posted by hadaso View Post
I wish there was another option: a printed list of one time passwords, like Google has, and like we had on FastMail before 2FA was introduced.
Quote:
Originally Posted by DumbGuy View Post
Agreed. I miss that option that FM used to offer.
Quote:
Originally Posted by NumberSix View Post
P.s. +1 for printed OTP lists. I used to use that as well.
That is certainly one thing I have to agree on with you guys.

As far as 'account security' goes (with me anyway ), I use KeePass for most of my usernames, passwords (or phrases), and the related URL. Some of those usernames and links, and all of the passwords, I don't even know. A good number of sites I have in that database I only have 'bookmarked' in KeePass, with that being the only link I will use to get to that site. With my email in particular, I only access it from my laptop, and so rarely from my phone that I have considered heavily on whether to delete the FM app and K-9 from it, because the space they use outweighs the benefit I get from having those programs installed.

One 'new but not new anymore' FM feature I really like is individual app passwords and their 'permission settings'. That is similar to where in my web host OPS, I can create additional and unique FTP and MySQL usernames, passwords, and 'home dir' paths.

- Bruce
somdcomputerguy is offline   Reply With Quote
Old 25 Jun 2020, 11:56 PM   #8
SideshowBob
Senior Member
 
Join Date: Jan 2017
Posts: 143
How is it a reduction in security? If you don't like it then remove the number in the account recovery section of settings.
SideshowBob is offline   Reply With Quote
Old 26 Jun 2020, 12:28 AM   #9
TenFour
Cornerstone of the Community
 
Join Date: Feb 2017
Posts: 779
Quote:
How is it a reduction in security?
Having multiple different ways of getting a 2FA code provides more paths for hackers to steal them. In particular, having a phone number that is used for receiving SMS codes, calls, or as a recovery number can make your account much less secure as been demonstrated recently in several high-profile hacks. They SIM swap your number or simply bribe someone in the phone company and once they have that they are in, assuming they already have your password via some other means. Though, probably this is a much smaller problem for most of us than simply having the password database hacked or our password stolen via a phishing attack. Microsoft and Google both report that using 2FA of any sort eliminates the vast majority of hacks.https://techcommunity.microsoft.com/...us/ba-p/855124
TenFour is online now   Reply With Quote
Old 26 Jun 2020, 06:24 AM   #10
SideshowBob
Senior Member
 
Join Date: Jan 2017
Posts: 143
I meant: how is it a reduction in security when it's easily disabled.
SideshowBob is offline   Reply With Quote
Old 26 Jun 2020, 07:46 AM   #11
hadaso
The "e" in e-mail
 
Join Date: Oct 2002
Location: Holon, Israel.
Posts: 4,540
Quote:
Originally Posted by SideshowBob View Post
I meant: how is it a reduction in security when it's easily disabled.
The problem is that there are two separate functionalities here that are tied together: one is disaster recovery: if you lose all access to your account, such as when someone steals it from you and changes the password, you can contact support by some other email, and they have something they can use to verify it is you, such as calling you and talking to you and asking you questions. Another is connecting daily to your mail. You may want to use your phone for only one of these, or use different phones (such as use your office landline for disaster recovery, and your mobile for 2FA. And you might want to use a phone just for one of the two.
hadaso is offline   Reply With Quote
Old 26 Jun 2020, 08:02 AM   #12
NumberSix
Cornerstone of the Community
 
Join Date: Jan 2003
Location: The Village
Posts: 575
Quote:
Originally Posted by hadaso View Post
The problem is that there are two separate functionalities here that are tied together:
Bingo.

I would add, along these lines: I have an authenticator app registered for 2FA purposes that I use for the relatively rare times when I access from my phone using the FM app. However this 2FA method is always offered to me even when I'm logging in from a normal PC browser (it has been like that a long time, this is not part of the recent change). I would rather have them separated - having browser login limited only to hardware tokens, and the auth app used only for phone login. I realize this might bite me hard some day, when I really, really need to get into my email and don't have a token or my phone, but I'm a bit of a risk taker about such things , and like the idea of stricter security. It would be nice if we had a more granular ability to configure such things.
NumberSix is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 04:26 AM.

 

Copyright EmailDiscussions.com 1998-2013. All Rights Reserved. Privacy Policy