Gmail to FastMail
October 12, 2014
Hacks Prompt U.S. to Establish New Cybersecurity Agency
February 10, 2015

FastMail 2-Factor Authentication Unimpressive

I migrated to FastMail from Gmail a few weeks ago and I’ve been very happy with the service. Today I decided to dive in to enable 2-Fator Authentication (2fa) found FastMail 2-Factor Authentication Unimpressive.

FastMail allows users to enable 2fa in order to better protect their accounts, which is fantastic. The disappointment here is that even with 2fa enabled, you can still log into account with single factor username/password. This is due to the password recovery process for 2fa. If you enable 2fa, you have two options to log into your account:

  1. password1 with 2fa (“alternative logon”)
  2. password2 (“master password”)

The presumption here is that when a user enables 2fa, they will set password2 to something very long and complex because they don’t have to remember it (not likely), they can then use their normal crappy password and 2fa. Lame, but let’s go with it.

I’m a huge fan of LastPass. My average password length is something like 20 random characters with all options (letters, numbers, symbols, etc). In this scenario, enabling 2fa on FastMail does absolutely nothing for me because I can always log into my account with password2 (single factor). The whole point of 2fa is to *always* require 2fa.

This could be a relatively easy fix for FastMail, at least for “family/business” accounts. These accounts automatically have a second account called “masteruser_*familyname*.” The folks at FastMail could simply switch both users to administrative accounts with real 2fa. If the user cannot log in for whatever reason they can simply use the other account. At least here all accounts are actually protected by 2fa.

You might ask why I worry about 2fa when I have a 20 character random password. Mostly, computers are fast. Brute-forcing passwords is not too difficult of a task these days as we’ve seen in several recent breaches. In addition to the 2fa not being sufficient, I don’t see any sort of account lockouts. I literally just used the wrong password 20 times in approximately 30 seconds to test this and was still able to login without issue on try 31 with the correct password. There doesn’t appear to be any throttling of login attempts or failed password lockouts (or notifications thereof). If these options do exist, I’m not finding them in either the user-level configuration nor the family/business administrator configuration.

With this level of “security,” and being a security person myself, I’m hard-pressed to stay with FastMail. The are slightly cheaper than several other vendors and I’ve been very happy with them overall, but this is a pretty big gap in functionality in my opinion.

Leave a Reply

Your email address will not be published. Required fields are marked *