Add support for U2F Security Key

[rrangel]

It would be great to see FastMail support the new U2F standard. https://www.yubico.com/products/yubi...-security-key/.

Raul

[ioneja]

agreed +1!

[pjwalsh]

It should be noted only the Chrome browser supports the U2F Security Key. Adding support in FireFox has non-trivial challenges.
https://bugzilla.mozilla.org/show_bug.cgi?id=1065729

[rblon]

related question: does Fastmail support 2FA using a token that is non-USB (and not a smartphone)? Eg a token that generates a number when you press a button, or where the number gets refreshed every 30 seconds.

[pjwalsh]

Quote:

Originally Posted by rblon

related question: does Fastmail support 2FA using a token that is non-USB (and not a smartphone)? Eg a token that generates a number when you press a button, or where the number gets refreshed every 30 seconds.

FastMail supports OATH-TOTP (aka Google Authenticator), for which there are any number of implementations. If the token is OATH-TOTP based, you can use it on FastMail.

https://www.fastmail.com/help/account/2fa.html

--
The token/app has to have the ability to import the secret code FastMail generates for your account, as described in the help link.

[rblon]

Quote:

Originally Posted by pjwalsh

The token/app has to have the ability to import the secret code FastMail generates for your account, as described in the help link.

I also think such a token makes sense, but I have never been able to find where I can buy it. If you know, do you mind to post a link?

[danieldk]

Background article:
https://lwn.net/Articles/607652/

[pjwalsh]

Quote:

Originally Posted by rblon

does Fastmail support 2FA using a token that is non-USB (and not a smartphone)? Eg a token that generates a number when you press a button, or where the number gets refreshed every 30 seconds.

The hardware token generator I'm familiar with is the Symantec VIP Security Token sold for eBay and PayPal 2FA, but they wouldn't work as TOTP generator for FastMail.

If you're willing to buy a hardware token for the purpose of 2FA FastMail login, you'd be better off getting a YubiKey. The price would be comparable, and the security better. A YubiKey can be used for LastPass as well. https://www.yubico.com/products/yubi...are/yubikey-2/

You specify 'not a smartphone'. If you carry a cell phone which is J2ME capable (most are), here is a simple OATH-TOTP java app that will serve the purpose, without you having to buy something new. I've used it. https://code.google.com/p/lwuitgauthj2me/

https://en.wikipedia.org/wiki/Google_Authenticator
https://en.wikipedia.org/wiki/Securi..._device_tokens

[rblon]

Quote:

Originally Posted by pjwalsh

If you're willing to buy a hardware token for the purpose of 2FA FastMail login, you'd be better off getting a YubiKey. The price would be comparable, and the security better.

But YubiKey only works with USB, right? That is quite a limitation for me (often I don't have access to the USB port, or there isn't any eg an iPad).
So the question remains if there is non-USB, non-smartphone token that is compatible with FastMail?

[pjwalsh]

Quote:

Originally Posted by rblon

But YubiKey only works with USB, right? That is quite a limitation for me (often I don't have access to the USB port, or there isn't any eg an iPad).
So the question remains if there is non-USB, non-smartphone token that is compatible with FastMail?

I answered that, 3rd paragraph. And if you are using an iPad, there are OATH-TOTP apps.

[rharha]

If you don't login too often, SMS passwords (0.12 USD per SMS) are worth considering as well.

[rblon]

Quote:

Originally Posted by pjwalsh

I answered that, 3rd paragraph. And if you are using an iPad, there are OATH-TOTP apps.

Tricky if you want to check your email on someones else iPad...
Also I consider a "J2ME capable cellphone" a smartphone. On my old-school phone (with >2weeks battery life) I cannot install (java) apps
Anyway, if someone knows a OATH-TOTP compatible token, I would be interested to hear about it

[danieldk]

So, got a Yubico U2F USB stick. Tested with Google Apps, works terrific! Much nicer than TOTP, and probably more secure (since a smartphone compromise would compromise TOTP and could compromise a password database, compared to a secure element in the U2F key).

[PON]

The Yubikey NEO doesn't necessarily need USB. It supports NFC and mifare.

[pjwalsh]

Quote:

Originally Posted by danieldk

So, got a Yubico U2F USB stick. Tested with Google Apps, works terrific! Much nicer than TOTP, and probably more secure (since a smartphone compromise would compromise TOTP and could compromise a password database, compared to a secure element in the U2F key).

Yubico may soon be offering a version combining their OTP (YubiKey Standard, compatible with FastMail and LastPass) and U2F (Security Key, currently only Google+Chrome). They've just done a holiday promo run of such dual-use keys (not to be confused with the Neo, a bit pricey @ $50).

https://www.yubico.com/2014/11/speci...n-living-color
- the tri-colour set with the cross emblem on the disc is the OTP+U2F key