New 2FA changes NOT welcome!

NumberSix · 23 Jun 2020, 11:29 AM

I do not like the changes to the 2FA login that have been rolled out very recently. I hope the people at FM realize that making many different choices of 2FA method easily available drastically reduces the security provided by 2FA! We usually consider having more choices a good thing, but in this case, more choices only helps the attacker.

The best security is offered by having only a single method available, and forcing the user to respond using that method. I realize this can sometimes cause trouble for less careful people who might, e.g., have their phone as their 2nd factor, and lose the phone, making it impossible to access their email for a while until it gets straightened out. I get this. I myself (I use Yubikeys normally) have once or twice had to rely on my phone for normal PC browser login because of not having any of my keys at hand.

But the most troubling aspect of what was recently rolled out is that a new method, voice call, was added to what is now a very clear menu offering 3 different options for 2FA. This voice call thing was not there before, as far as I noticed. So now, someone trying to break into my account only needs to have access to my cell phone, to answer a voice call (which is possible without unlocking it).

I never asked for this, and don't want it! I would even be willing to move to a system where only one method is offered, and if I don't have it, I'm SOL. I like that higher level of security. I would still need the auth app method for access from my FM phone app, but there's no reason that app access vs browser access cannot be distinguished.

I suspect that this change was to "make things easier" for the Average l(U)ser, who is clueless about security and merely aggravated by anything that stands in his way when getting into email, but some of us really care about security! At the very least, you should make the menu of 2FA methods offered upon login settable in the settings, so that those of us who want more security can lock things down, and those who want more convenience can leave the defaults.

Not cool, FM. As with so many other features, if you want defaults to be appealing to Average users, at least give us power users the chance to change the defaults, even if it's buried way down deep in the settings!

xyzzy · 23 Jun 2020, 12:04 PM

Quote:

Originally Posted by NumberSix

Not cool, FM. As with so many other features, if you want defaults to be appealing to Average users, at least give us power users the chance to change the defaults, even if it's buried way down deep in the settings!

Have you considered posting all that as a FM ticket?

NumberSix · 23 Jun 2020, 06:28 PM

Quote:

Originally Posted by xyzzy

Have you considered posting all that as a FM ticket?

I will do that, but wanted to put it here as well.

hadaso · 23 Jun 2020, 07:33 PM

Quote:

Originally Posted by NumberSix

...a new method, voice call, was added to what is now a very clear menu offering 3 different options for 2FA. ...

Where do you see this?
I haven't seen anything like this in the security setup screen, and when I try to login I am only offered the alternative of sending an SMS code if I cannot use my Ubikey. (and this is offered only after I enter the correct password). I also understand that I can remove the SMS option by removing the backup phone number from my account, but I do need the SMS option sometimes.
I wish there was another option: a printed list of one time passwords, like Google has, and like we had on FastMail before 2FA was introduced.

DumbGuy · 23 Jun 2020, 07:36 PM

Quote:

Originally Posted by hadaso

I wish there was another option: a printed list of one time passwords, like Google has, and like we had on FastMail before 2FA was introduced.

Agreed. I miss that option that FM used to offer.

NumberSix · 25 Jun 2020, 11:11 AM

Quote:

Originally Posted by hadaso

Where do you see this?
I haven't seen anything like this in the security setup screen, and when I try to login I am only offered the alternative of sending an SMS code if I cannot use my Ubikey.

Maybe I mistook the SMS option for a voice call option. I still don't like it, though. In certain respects SMS may be more vulnerable than voice call, in others, less so.

Apparently this was only enabled on my account because I had my cell number recorded. And now, I can't remember why that was. I certainly wouldn't have given it to them unless there was a good reason, but can't remember now what the reason might have been (account recovery? but there are other ways to do that) I'll think about removing it.

Even reduction in security aside, it's another step I have to click my mouse through! I used to go straight from hitting enter on my p/w, to pushing the button on the Yubikey, but now I have to click something else in between

P.s. +1 for printed OTP lists. I used to use that as well.

somdcomputerguy · 25 Jun 2020, 11:23 PM

Quote:

Originally Posted by hadaso

I wish there was another option: a printed list of one time passwords, like Google has, and like we had on FastMail before 2FA was introduced.

Quote:

Originally Posted by DumbGuy

Agreed. I miss that option that FM used to offer.

Quote:

Originally Posted by NumberSix

P.s. +1 for printed OTP lists. I used to use that as well.

That is certainly one thing I have to agree on with you guys.

As far as 'account security' goes (with me anyway

), I use KeePass for most of my usernames, passwords (or phrases), and the related URL. Some of those usernames and links, and all of the passwords, I don't even know. A good number of sites I have in that database I only have 'bookmarked' in KeePass, with that being the only link I will use to get to that site. With my email in particular, I only access it from my laptop, and so rarely from my phone that I have considered heavily on whether to delete the FM app and K-9 from it, because the space they use outweighs the benefit I get from having those programs installed.

One 'new but not new anymore' FM feature I really like is individual app passwords and their 'permission settings'. That is similar to where in my web host OPS, I can create additional and unique FTP and MySQL usernames, passwords, and 'home dir' paths.

- Bruce

SideshowBob · 25 Jun 2020, 11:56 PM

How is it a reduction in security? If you don't like it then remove the number in the account recovery section of settings.

TenFour · 26 Jun 2020, 12:28 AM

Quote:

How is it a reduction in security?

Having multiple different ways of getting a 2FA code provides more paths for hackers to steal them. In particular, having a phone number that is used for receiving SMS codes, calls, or as a recovery number can make your account much less secure as been demonstrated recently in several high-profile hacks. They SIM swap your number or simply bribe someone in the phone company and once they have that they are in, assuming they already have your password via some other means. Though, probably this is a much smaller problem for most of us than simply having the password database hacked or our password stolen via a phishing attack. Microsoft and Google both report that using 2FA of any sort eliminates the vast majority of hacks.https://techcommunity.microsoft.com/...us/ba-p/855124

SideshowBob · 26 Jun 2020, 06:24 AM

I meant: how is it a reduction in security when it's easily disabled.

hadaso · 26 Jun 2020, 07:46 AM

Quote:

Originally Posted by SideshowBob

I meant: how is it a reduction in security when it's easily disabled.

The problem is that there are two separate functionalities here that are tied together: one is disaster recovery: if you lose all access to your account, such as when someone steals it from you and changes the password, you can contact support by some other email, and they have something they can use to verify it is you, such as calling you and talking to you and asking you questions. Another is connecting daily to your mail. You may want to use your phone for only one of these, or use different phones (such as use your office landline for disaster recovery, and your mobile for 2FA. And you might want to use a phone just for one of the two.

NumberSix · 26 Jun 2020, 08:02 AM

Quote:

Originally Posted by hadaso

The problem is that there are two separate functionalities here that are tied together:

Bingo.

I would add, along these lines: I have an authenticator app registered for 2FA purposes that I use for the relatively rare times when I access from my phone using the FM app. However this 2FA method is always offered to me even when I'm logging in from a normal PC browser (it has been like that a long time, this is not part of the recent change). I would rather have them separated - having browser login limited only to hardware tokens, and the auth app used only for phone login. I realize this might bite me hard some day, when I really, really need to get into my email and don't have a token or my phone, but I'm a bit of a risk taker about such things

, and like the idea of stricter security. It would be nice if we had a more granular ability to configure such things.

23 Jun 2020, 11:29 AM	#1
NumberSix Cornerstone of the Community Join Date: Jan 2003 Location: The Village Posts: 605	New 2FA changes NOT welcome! I do not like the changes to the 2FA login that have been rolled out very recently. I hope the people at FM realize that making many different choices of 2FA method easily available drastically reduces the security provided by 2FA! We usually consider having more choices a good thing, but in this case, more choices only helps the attacker. The best security is offered by having only a single method available, and forcing the user to respond using that method. I realize this can sometimes cause trouble for less careful people who might, e.g., have their phone as their 2nd factor, and lose the phone, making it impossible to access their email for a while until it gets straightened out. I get this. I myself (I use Yubikeys normally) have once or twice had to rely on my phone for normal PC browser login because of not having any of my keys at hand. But the most troubling aspect of what was recently rolled out is that a new method, voice call, was added to what is now a very clear menu offering 3 different options for 2FA. This voice call thing was not there before, as far as I noticed. So now, someone trying to break into my account only needs to have access to my cell phone, to answer a voice call (which is possible without unlocking it). I never asked for this, and don't want it! I would even be willing to move to a system where only one method is offered, and if I don't have it, I'm SOL. I like that higher level of security. I would still need the auth app method for access from my FM phone app, but there's no reason that app access vs browser access cannot be distinguished. I suspect that this change was to "make things easier" for the Average l(U)ser, who is clueless about security and merely aggravated by anything that stands in his way when getting into email, but some of us really care about security! At the very least, you should make the menu of 2FA methods offered upon login settable in the settings, so that those of us who want more security can lock things down, and those who want more convenience can leave the defaults. Not cool, FM. As with so many other features, if you want defaults to be appealing to Average users, at least give us power users the chance to change the defaults, even if it's buried way down deep in the settings! Last edited by NumberSix : 23 Jun 2020 at 06:29 PM.

25 Jun 2020, 11:56 PM	#8
SideshowBob Essential Contributor Join Date: Jan 2017 Posts: 278	How is it a reduction in security? If you don't like it then remove the number in the account recovery section of settings.

26 Jun 2020, 06:24 AM	#10
SideshowBob Essential Contributor Join Date: Jan 2017 Posts: 278	I meant: how is it a reduction in security when it's easily disabled.