|
FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc. |
|
Thread Tools |
17 Dec 2020, 04:23 PM | #1 |
The "e" in e-mail
Join Date: Oct 2002
Location: Holon, Israel.
Posts: 4,856
|
Which security key
After losing my Yubikey, and then a few days after having my phone sent to be repaired, I'm looking to buy a new security key, and perhaps more than one so I have at least one for backup, and perhaps some more for other family members. The real question is: which one.
The old one that I lost (fell off my keyring) was one of the more expensive ones from Yubico. I probably got this one because Firefox didn't support U2F back then, And I thought I'd use the NFC capability (I never did). So I wander if I really need something like the Yubikey 5 NFC that costs 45$ (the cheapest in the Yubikey 5 line) and what benefit it provides over the 25$ Security Key NFC by Yubico , if at all, to a FastMail user. Or perhaps there are cheaper comparable alternatives that people here would recommend? Also, I would want to use the same security key for some other services (like google account, Dropbox, domain registrar etc.), but without it reducing the security of my Fastmail account (such as with using the same password). |
17 Dec 2020, 07:55 PM | #2 |
Master of the @
Join Date: Feb 2017
Location: USA
Posts: 1,744
|
You can use your Android phone as the security key too! https://support.google.com/accounts/...DAndroid&hl=en
|
17 Dec 2020, 11:55 PM | #3 | |
The "e" in e-mail
Join Date: May 2003
Location: mostly in Thailand
Posts: 3,095
|
Quote:
|
|
18 Dec 2020, 05:34 AM | #4 | |
Master of the @
Join Date: Feb 2017
Location: USA
Posts: 1,744
|
Quote:
|
|
18 Dec 2020, 05:26 PM | #5 | |
The "e" in e-mail
Join Date: Apr 2011
Location: Manchester UK
Posts: 2,616
|
Quote:
Personally I keep a copy of each QR code stored in a secure Keepass database, that way if I lose my phone or the app becomes corrupted, I can scan the code I've stored in Keepass, and I'm up and running again. I suppose you could put the Keepass database on a USB flash drive, and stick that in a safe . . . |
|
18 Dec 2020, 07:58 PM | #6 |
Master of the @
Join Date: Feb 2017
Location: USA
Posts: 1,744
|
General comment not specific to this question, but I have found there are some serious problems with how 2FA is handled with many companies. First is that no matter how great the security of the 2FA method there is often a much simpler and easier to hack method to circumvent the 2FA due to the fact that people get locked out all the time. For example, some companies will send an SMS code or email instead of the 2FA method, so it seems to me you are only getting the security level of the least secure alternate method of entry. Second is that there is a very likely chance you will get locked out of your own account due to bugs in the system or errors on your part. I nearly lost my Google account because I changed a phone number and Google would only send codes to my old number. Even though I had the alternate methods set up, including email, prompts on my phone, and one-time codes, Google would not present those alternatives to me. They would only send codes to the old phone number I no longer used. The third problem is just plain inconvenience. I have found that Yubikey code entry seems to fail as often as it works, and some systems just don't like them. Then you can lose the key like you did. Or your phone breaks. Or the key breaks. Etc. Edit: one additional problem cropped up recently for me. I changed a password on my phone. Stored it in my password manager. The phone would no longer accept either the new password or the old one and I was completely locked out. I am 100% certain I had the correct new and old passwords, but nothing worked. I ended up doing a factory reset on the phone. That indicates to me that sometimes there can just be a glitch in any system that can mean you might lose an important account, and 2FA indicates more points of tech failure. For example, one time when I flew from the US to Australia my 2FA codes would not work for some reason. I ended up locked out of everything even though I had the correct codes and the authenticator app on my phone. I ended up having to call back to the USA to get someone to look up my one-time codes stored in a safe location.
Last edited by TenFour : 18 Dec 2020 at 08:05 PM. |
19 Dec 2020, 07:29 AM | #7 | |
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,929
|
Quote:
Bill |
|
19 Dec 2020, 10:29 PM | #8 | |
Essential Contributor
Join Date: Jan 2017
Posts: 278
|
Quote:
Even if the phone works on wall time internally (possibly Windows phones did) that still isn't going to make the UTC time wrong. In order to get an incorrect UTC time you would need to turn-off automatic time updates and manually set a time that isn't correct for the timezone. Last edited by SideshowBob : 19 Dec 2020 at 10:44 PM. |
|
19 Dec 2020, 10:35 PM | #9 |
Master of the @
Join Date: Feb 2017
Location: USA
Posts: 1,744
|
My guess as to why the authenticator codes didn't work is that during the long flight across the Pacific Ocean the phone was not connected to the Internet, and then when I landed I didn't have Internet access for awhile because I needed to purchase a local SIM and get access. So, my guess is that the time on the phone was slightly off from UTC, therefore generating incorrect codes, meaning I couldn't login to my secure accounts. Also, complicating things was that both Microsoft and Google decided that since I was not logging in from a normal location something nefarious must be up and they locked me out. They would only let me back in if I could respond to an email or text message sent to my phone, which I couldn't do because I didn't have phone service either. Even when I did have phone service it was a different number, so SMS codes were no good. Of course I was on a business trip and not being able to access everything for a day was a huge pain. In any case, this was a lesson to me that one needs to take special precautions if you travel a lot and want to use Google and Microsoft services.
|
20 Dec 2020, 10:48 AM | #10 | ||
Intergalactic Postmaster
Join Date: May 2004
Location: Irving, Texas
Posts: 8,929
|
As far as I can tell from the research I performed before my earlier post in this thread, a common issue is the phone time not properly synchronized after changing time zones. See:
https://support.google.com/accounts/..._topic=2954345 Quote:
https://www.guidingtech.com/fix-goog...orking-iphone/ Quote:
|
||
20 Dec 2020, 04:57 PM | #11 | |
The "e" in e-mail
Join Date: Oct 2002
Location: Holon, Israel.
Posts: 4,856
|
Quote:
Of course I can use an authentication app on my phone with no need for Bluetooth, and it would provide the same level of security as using it with Bluetooth. Actually my main question is if there is any value for a Fastmail + several popular services (e.g. Google, Dropbox) in the more expensive line of Yubikey security keys, or if there's nothing I would miss if I buy their cheaper line, or if there are security keys from other sources that are cheaper and people are satisfied with. Of course the descriptions of the products lists lots of features and protocols supported only by the more expensive line, but I don't understand the technical terms enough to know if any of this is useful. With the lod key I just followed fastmail's setup instructions and then used it, and never added any other service because I was not sure if it might interfere or compromise the security of the setup with FastMail. |
|
5 Jan 2021, 03:52 PM | #12 | |
Junior Member
Join Date: Feb 2012
Posts: 13
|
Quote:
Of course, in case I lose any device, to protect the credentials, on all my devices the password manager itself is behind two levels of security: Whole device encryption, and the password manager's own password. Back story: I rejected Google Authenticator when I read reviews that it would not sync to other devices (though it does now), so I used Authy for a while. For multi device access, I originally tried to set up MFA on web sites on Authy for each device separately, but realized that was a mistake because setting up the second device invalidated the first. Next I fixed that by using Authy's sync feature (one MFA authorization synced to phone, tablet, and Mac). But when I discovered that my password manager supports MFA, I went to that right away because it is the fastest way to both set up MFA (it reads the QR setup code) and enter username, password, and MFA with the least number of mouse clicks/keystrokes. It can LAN sync (no cloud) the credentials among my devices, so MFA is easily used on my phone too. I still securely keep the one-time emergency codes for any website I set up MFA on, but since it is unrealistic (and possibly quite insecure) to expect to pack a printed list of MFA codes into luggage for travel in case of device loss or failure, all I have to do now is travel with at least two devices out of my phone, tablet, or laptop and I will be able to use MFA with a secured backup available. There is one financial account that uses a hardware key, and I hate it because I am not taking that key everywhere, and it is never quite where I want to use it. |
|
5 Jan 2021, 07:30 PM | #13 |
Master of the @
Join Date: Feb 2017
Location: USA
Posts: 1,744
|
General comment on security. I think all of us, myself included, suffer from worrying about the wrong things a lot of the time. For example, the idea of a security key ignores the very real problem of losing the key/keys or the even more likely scenario of leaving the key plugged into a computer you were using. In the end if something isn't convenient enough people won't use it, and that lessens security. I think of it this way--how often have you lost your car or house keys? That's what is likely to occur with your security key.
|
10 Jan 2021, 01:07 PM | #14 | |
Cornerstone of the Community
Join Date: Jan 2003
Location: The Village
Posts: 616
|
Quote:
|
|
10 Jan 2021, 01:17 PM | #15 | ||
Cornerstone of the Community
Join Date: Jan 2003
Location: The Village
Posts: 616
|
Quote:
Quote:
Final bit of advice I use a "mini S-biner" to attach mine to my keyring... allows it to go on and off the ring very easily for use. Highly recommended! You can probably find them at your local home improvement/hardware store. Last edited by NumberSix : 10 Jan 2021 at 01:39 PM. |
||