|
FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc. |
|
Thread Tools |
1 Sep 2016, 06:35 PM | #271 |
Cornerstone of the Community
Join Date: Jun 2008
Location: Perth
Posts: 664
|
1) yes scanner emails scans, thus the App p/w.
2) The specific message in my case was not SMTP. It was specifically an IMAP login, unlike the previous poster that had the SMTP login notice. Anyhow, thanks for your suggestions. But I am fine regarding finding the cause. |
1 Sep 2016, 06:36 PM | #272 |
Cornerstone of the Community
Join Date: Jan 2003
Location: Oxfordshire, UK
Posts: 603
|
|
1 Sep 2016, 07:06 PM | #273 |
Cornerstone of the Community
Join Date: Jun 2008
Location: Perth
Posts: 664
|
|
1 Sep 2016, 07:10 PM | #274 |
Cornerstone of the Community
Join Date: Jan 2003
Location: Oxfordshire, UK
Posts: 603
|
|
1 Sep 2016, 07:20 PM | #275 | |
Junior Member
Join Date: Jul 2014
Posts: 12
|
Problems withs alternative logins
Quote:
John |
|
18 Sep 2016, 07:15 AM | #276 |
The "e" in e-mail
Join Date: Oct 2002
Location: Holon, Israel.
Posts: 4,856
|
Alternative passwords still work for loging in, but the session is not limited as it used to be (for example: now I can permanently delete using an "empty link" when logged in with an altaernative password that used to not allow permanent deletion).
|
6 Oct 2016, 07:42 AM | #277 | |
The "e" in e-mail
Join Date: Oct 2002
Location: Holon, Israel.
Posts: 4,856
|
Quote:
I ordered a Yubikey about a month ago, but it still haven't arrived, and I really don't like that the "thing I have" would be the same device that stores my master password (that is, my phone that runs the Fastmail app). I also prefer the reliability of paper... |
|
12 Oct 2016, 05:07 AM | #278 |
Essential Contributor
Join Date: Dec 2008
Location: Canada
Posts: 312
|
U2F for Firefox close at hand
Some encouraging 2FA news on the browser front, via Yubico:
Google’s Chrome browser has long been the lone platform for U2F, but that has changed. The Opera browser (version 40) began supporting U2F in late September 2016. In addition, Mozilla hopes to wrap up in late 2016 U2F support in the Firefox browser with features on parity with Google’s U2F implementation. In fact, the two have been consulting on this work with each other and the Yubico engineering team. In addition, Mozilla plans to eventually support the WebAuthn APIs being developed by the World Wide Web Consortium (W3C) for secure browser log in. Those APIs also factor into a more complete FIDO strong authentication ecosystem. Microsoft’s Edge browser also will support those APIs when they are finalized (projected early 2017). https://www.yubico.com/2016/07/over-...rce=newsletter October 10 update |
12 Oct 2016, 05:43 AM | #279 |
The "e" in e-mail
Join Date: May 2003
Location: mostly in Thailand
Posts: 3,095
|
The big question: can Apple finally be persuaded to join the FIDO initiative? Up until now, they seem determined to try to push their proprietary security solutions instead.
|
12 Oct 2016, 01:03 PM | #280 |
Senior Member
Join Date: Apr 2014
Posts: 166
|
I've been meaning to post about this for quite a while but the new system really seems to be a security downgrade for some perfectly good use cases.
First, as others have mentioned, SMS is no longer considered a secure authentication channel. So Fastmail's suggestion of registering a phone number for purposes of password reset just opens an attack vector. Anyone who finds out the phone number can request a reset, intercept the incoming SMS message, and pwn my Fastmail account. SMS is useless and enrolling a phone number sounds like a bad idea. TOTP is reasonable except that the smartphones running most TOTP apps are themselves bundles of malware (I don't use a smartphone and hopefully never will). The Yubikey is yet another electronic gadget containing secrets, and requires a USB port, something absent from many devices like tablets and phones. Also it claims to implement TOTP but I don't see any evidence that it has a hardware RTC (e.g. the nano version looks too small to have a battery inside). If it's getting the time from a remote server, it can be fooled into giving a future authentication code, and (if it requires the remotely supplied times to increase monotonically) it can be bricked by a malicious remote server. Plus it's expensive. The old, printed OTP system worked really well. 99% of the time I use Fastmail from my personal laptop with hopefully ok security, logging in with a password. The other 1% is from totally untrusted devices: e.g. I'm travelling and need to check a message from a kiosk, somebody's phone, or something like that. The printed OTP was great for that. I never had to give up a re-usable secret. Yubikey (if I were willing to buy it) often wouldn't work in that situation (USB....) and it would only be usable as a second factor one time. Because the master password must be considered compromised as soon as you enter it in an untrusted device, the only factor left is the Yubikey or TOTP, which means you're back to 1-factor authentication. The printed OTP was also good because I don't like travelling with electronics due to airport security, customs, etc. liking to examine the contents. The printed OTP on a slip of paper (Post-it sized) is much less likely to get examined, and before check-in for a return flight I could rip it up and throw it away, removing the possibility of interception. No way I want to do that with a $50 yubikey or a smart phone. I tried to concoct some scheme with app passwords where the application would auto-disable its own password after being used once, but that seems to require the master password. The security page seems to allude to a challenge-response scheme in the Fastmail mobile app. Is that documented so I can implement it in my own app? (That app would run on a server since I don't use mobiles). Another idea is to have an automated IMAP client with an app password pulling my email off of Fastmail every few minutes, but if I'm reading mail from my own server, Fastmail isn't doing that much for me. Most of all I'm bothered by Fastmail calling something a security improvement when it's actually a regression. When they got rid of SMS they straightforwardly said it wasn't worth supporting any more, which was ok (except maybe for Premier account holders who had paid for a lot of SMS expecting to use it). They didn't say "we've increased our capabilities by getting rid of SMS". Anyway I guess I'll research how the 2-factor stuff works. TOTP is very simple but I don't know about U2F and so on. Last edited by paul29 : 12 Oct 2016 at 04:01 PM. |
12 Oct 2016, 03:16 PM | #281 |
Essential Contributor
Join Date: Oct 2008
Posts: 212
|
@paul29 - Thanks for chiming in on this topic.
Because the master password must be considered compromised as soon as you enter it in an untrusted device Yes, this particularly bothers me as well. Regarding printed OTP... What do you think of this workaround I suggested? |
12 Oct 2016, 03:56 PM | #282 | |
Senior Member
Join Date: Apr 2014
Posts: 166
|
Quote:
Another silly thing I see: before you can even activate 2FA, fastmail wants to send you a recovery code by (insecure) SMS and they advise you to write it down. But of course you have to treat it as compromised the minute they send it to you, so it's better to log in, delete the recovery code right away, and generate a new one. I notice also that U2F uses elliptic curve signatures with the NIST P256 curve, which some people think might be backdoored by the NSA (there's no concrete evidence for this, but no way to disprove it either). The NIST curves are also very difficult to implement properly so I'd hope there's been an external code audit of the Yubikey device. And the low cost Yubikey ($18, still not that cheap) is a big unit like a memory stick that you can't just leave in the port when transporting a laptop. I might go for a software implementation. I don't understand why they got rid of the printed OTP that worked perfectly well with much less technical complexity everywhere in the system. |
|
12 Oct 2016, 04:14 PM | #283 |
Essential Contributor
Join Date: Oct 2008
Posts: 212
|
Probably the usual reason many software companies remove good features in upgraded releases -- low usage of the removed feature, so not worth their effort/time/resources to continue upgrading and maintaining the feature in the context of an upgraded platform.
|
12 Oct 2016, 04:15 PM | #284 | |
The "e" in e-mail
Join Date: May 2003
Location: mostly in Thailand
Posts: 3,095
|
Quote:
|
|
12 Oct 2016, 05:47 PM | #285 | |
Senior Member
Join Date: Apr 2014
Posts: 166
|
Quote:
I don't want to do complex development for this--too much work and too many parts to go wrong. I'm thinking of a simple web app (20 line python cgi) that accepts a one-time password from a printed list like Fastmail used to, and sends back a TOTP code. Do you know you can get a dedicated server in France for 3 euro a month (scaleway.com)? I have one of those for unrelated purposes, so it might be a reasonable place to host this thing since it could be sure of keeping the TOTP key in ram instead of it possibly getting written to disk and leaking from there. There'd have to be a secondary server as well. I'll think about this. Last edited by paul29 : 13 Oct 2016 at 01:21 AM. |
|