Secure your account with 2-factor authentication

2-factor authentication (2FA) increases the security of your account by requiring something you have to be paired with something you know in order to log in to your account. We support 2FA with either OATH TOTP (Google Authenticator) or a YubiKey.

There are several good (and free) OATH TOTP apps available for most phones. We recommend:

If you have another type of phone, you may still be able to use TOTP. Any app that claims to support the Time-based One-Time Password (TOTP) algorithm from the Initiative for Open Authentication (OATH) as specified in RFC 6238 should work.

Note: Neither the Google Authenticator app nor our server implementation is specific to Google in any way, nor does it ever communicate with Google systems as part of its operation (or with any other systems for that matter). "Google Authenticator" is the name of Google's TOTP app, which has become synonymous with the authentication method itself.

If you wish to use a YubiKey, you can purchase one from the Yubico store.

How to set up 2-factor authentication

  1. Change your master password to something long and secure, then write it down and lock it in a safe or store it in a secure password manager, such as 1Password, LastPass or KeePass. You do not need to memorise it, and you should not use this to log in to your account in normal use. It becomes a backup code for restoring access to your account should you lose your second factor.
  2. Open the Settings → Password & Security → Alternative Logins screen. In the section at the bottom, enter the following values:
    • Friendly name: 2-factor login (or whatever else you like)
    • Login type: Select "Google Authenticator (OATH TOTP)" or "YubiKey Online + Password (2 factor)", depending on which 2nd factor you wish to use.
    • Base password: This is the password you will need to remember to log in. It needs to be reasonably secure, but memorable.
    • Yubikey value: If you are selected YubiKey as your login type, this text box will appear. Focus the text box, then insert your YubiKey and press the button on it when it lights up.
    • Full access: Make sure this box is ticked.
    • Master password: Type in your master password (as set in step 1) to verify the change.
  3. Click "Create Alternative Login".
  4. If you selected "YubiKey" as your login type, you're all done. If you selected "Google Authenticator" as your login type, you will now be taken to a page with the code you need to either scan or type in to the TOTP app on your phone to register your FastMail account with it.

How to log in using your 2nd factor

In the log in box on our home page:

  1. Enter your username and your base password.
  2. Click the "More" link and focus the YubiKey input field.
  3. Type in your Google Authenticator code or enter your YubiKey (insert your YubiKey into a USB slot on your computer and press the button when it lights up).

For even speedier log in, you can skip step 2: just leave the cursor at the end of the password field after you've finished typing your password and add your OTP code on the end.

How to set up an email client when using 2-factor authentication

You should create a different "Regular" password on the Alternative logins screen for each device you wish to use. Again, it should be long and random, as there's no need to remember it; it should just be remembered by the device itself. If your device gets lost, stolen or otherwise compromised, you can revoke access for that password from the Alternative logins screen.

How to use 1Password for 2-factor authentication

Detailed instructions are in our guides to for the FastMail iOS/Android apps and for the FastMail web client.

If my master password still works, why is this more secure?

In an ideal world, all passwords would be a secret, known only to yourself. However the more a password is used, the more vulnerable it is to being exposed to malicious attackers. They might try to steal it (through phishing or malware/spyware), or guess it (through brute force repeated dictionary attacks).

The point of 2FA is that if someone does manage to steal your normal password, they still can't use it to log into your account without the 2nd factor. So it remains safe.

But what about your master password? It doesn't have a 2nd factor, it's higher risk right? Yes, but since you don't use your master password day-to-day, it can't be stolen. Ideally it can't be guessed either, because you've made your master password long and truly random (you don't use it often so you don't need to make it easy to remember). Long and truly random passwords are very difficult to guess: even if an attacker tries many many different combinations a second, they will be stopped by our rate-limiting before they discover the password.

Now you're using 2FA, your normal high-usage password is safe and secure. Why then do we use a master password at all?

Even with 2FA, the problem remains on what to do if you lose one of your factors: you have to have some form of account recovery. There's a number of options for this, like security questions or backup codes. But these are really just back doors to your account. Backup codes are common: Google uses backup codes, as does Wordpress.

We're not particular fans of this, but realistically people need some way back into their account that can't be social engineered.

So for now, we've left it that you leave a standard master password on your account. You can make that as long and complex as you want, and you can write it down and file it away for that day your phone/yubikey is stolen. Because it's not in general use, not entered into any keyboard in general, not stored in any software, it's at extremely unlikely to be stolen.

Having said all that, we are working on a true 2FA system with proper recovery, but it's hard to get right, because we want to make sure that any recovery mechanism requires 2 factors as well, but is still easy for the true account holder to verify themselves.

How TOTP (Google Authenticator) works

When you set up your TOTP alternative login, FastMail creates a secret code based on your username, the current time and some other random data. You import this into Google Authenticator (or other TOTP app) using the provided QR code or by entering the code manually.

Every thirty seconds, your app combines this secret key with the current time to produce a six-digit number. When you enter this number into the password field to log in, FastMail uses the secret code and its own concept of the current time to produce its own six-digit number. If your number matches ours (and the base password also matches), your login is successful.

This requires that your app and our servers have their clocks in sync. Because our servers synchronise times from the same global source that most mobile network operators use to set the time on mobile devices, it's quite rare for clocks to fall significantly out of sync. We have taken some measures to adjust for small differences in time between your authenticator app and our servers, so in practice the OTP code generated will be valid for about 90 seconds.

How a YubiKey works

A YubiKey is a small USB device that generates single-use passwords. It doesn't need any client software: you just plug it into a USB port and it acts like a USB keyboard. It has one button on it, that when you press generates a new one-time 44 character password. It works like this:

It generates the one-time code by:

  1. Taking some internal values and joining them together.
  2. Encrypting that data using a shared AES key that's also stored on the Yubico server.

The internal values that are joined and encrypted include:

At FastMail, we get the 44-char code. We check that the first 12 characters correspond with the YubiKey you've registered with your account, then we send the code on to the Yubico servers. Since they have the shared private key, they can decrypt the values and check to make sure they are valid (e.g. counters are all higher than their previous values, the checksum is valid, etc).

This seems like a pain to set up. Couldn't you make it easier?

Yes, absolutely! Whilst secure and very flexible, our alternative logins system was created a long time ago and is quite convoluted. We intend to replace it with a much easier, and more usual, 2FA setup later this year.