Secure your account with 2-factor authentication

2-factor authentication (2FA) increases the security of your account by requiring something you have to be paired with something you know in order to log in to your account. We support 2FA with either OATH TOTP (Google Authenticator) or a YubiKey.

There are several good (and free) OATH TOTP apps available for most phones. We recommend:

If you have another type of phone, you may still be able to use TOTP. Any app that claims to support the Time-based One-Time Password (TOTP) algorithm from the Initiative for Open Authentication (OATH) as specified in RFC 6238 should work.

Note: Neither the Google Authenticator app nor our server implementation is specific to Google in any way, nor does it ever communicate with Google systems as part of its operation (or with any other systems for that matter). "Google Authenticator" is the name of Google's TOTP app, which has become synonymous with the authentication method itself.

If you wish to use a YubiKey, you can purchase one from the Yubico store.

How to set up 2-factor authentication

  1. Change your master password to something long and secure, then write it down and lock it in a safe or store it in a secure password manager, such as 1Password, LastPass or KeePass. You do not need to memorise it, and you should not use this to log in to your account in normal use. It becomes a backup code for restoring access to your account should you lose your second factor.
  2. Open the Advanced → Alternative Logins screen. In the section at the bottom, enter the following values:
    • Friendly name: 2-factor login (or whatever else you like)
    • Login type: Select "Google Authenticator (OATH TOTP)" or "YubiKey Online + Password (2 factor)", depending on which 2nd factor you wish to use.
    • Base password: This is the password you will need to remember to log in. It needs to be reasonably secure, but memorable.
    • Yubikey value: If you are selected YubiKey as your login type, this text box will appear. Focus the text box, then insert your YubiKey and press the button on it when it lights up.
    • Full access: Make sure this box is ticked.
    • Master password: Type in your master password (as set in step 1) to verify the change.
  3. Click "Create Alternative Login".
  4. If you selected "YubiKey" as your login type, you're all done. If you selected "Google Authenticator" as your login type, you will now be taken to a page with the code you need to either scan or type in to the TOTP app on your phone to register your FastMail account with it.

How to log in using your 2nd factor

In the log in box on our home page:

  1. Enter your username and your base password.
  2. Click the "More" link and focus the YubiKey input field.
  3. Type in your Google Authenticator code or enter your YubiKey (insert your YubiKey into a USB slot on your computer and press the button when it lights up).

For even speedier log in, you can skip step 2: just leave the cursor at the end of the password field after you've finished typing your password and add your OTP code on the end.

How to set up an email client when using 2-factor authentication

You should create a different "Regular" password on the Alternative logins screen for each device you wish to use. Again, it should be long and random, as there's no need to remember it; it should just be remembered by the device itself. If your device gets lost, stolen or otherwise compromised, you can revoke access for that password from the Alternative logins screen.

If my master password still works, why is this more secure?

Presuming your master password is sufficiently long and truly random (and given you don't need to remember it, there's no reason it can't be), there's no way someone will be able to just guess it, even if they try many, many different versions a second (which would soon get stopped by our rate-limiting anyway).

The whole point of 2FA is that if someone manages to steal your normal password through phishing or malware, they still can't use it to log in to your account without the 2nd factor. Since you never use the master password day-to-day, this can never be stolen. Most sites generate a "backup code" for you automatically to recover from a lost 2nd factor, just like the master password works at FastMail.

How TOTP (Google Authenticator) works

When you set up your TOTP alternative login, FastMail creates a secret code based on your username, the current time and some other random data. You import this into Google Authenticator (or other TOTP app) using the provided QR code or by entering the code manually.

Every thirty seconds, your app combines this secret key with the current time to produce a six-digit number. When you enter this number into the password field to log in, FastMail uses the secret code and its own concept of the current time to produce its own six-digit number. If your number matches ours (and the base password also matches), your login is successful.

This requires that your app and our servers have their clocks in sync. Because our servers synchronise times from the same global source that most mobile network operators use to set the time on mobile devices, it's quite rare for clocks to fall significantly out of sync. We have taken some measures to adjust for small differences in time between your authenticator app and our servers, so in practice the OTP code generated will be valid for about 90 seconds.

How a YubiKey works

A YubiKey is a small USB device that generates single-use passwords. It doesn't need any client software: you just plug it into a USB port and it acts like a USB keyboard. It has one button on it, that when you press generates a new one-time 44 character password. It works like this:

It generates the one-time code by:

  1. Taking some internal values and joining them together.
  2. Encrypting that data using a shared AES key that's also stored on the Yubico server.

The internal values that are joined and encrypted include:

At FastMail, we get the 44-char code. We check that the first 12 characters correspond with the YubiKey you've registered with your account, then we send the code on to the Yubico servers. Since they have the shared private key, they can decrypt the values and check to make sure they are valid (e.g. counters are all higher than their previous values, the checksum is valid, etc).

This seems like a pain to set up. Couldn't you make it easier?

Yes, absolutely! Whilst secure and very flexible, our alternative logins system was created a long time ago and is quite convoluted. We intend to replace it with a much easier, and more usual, 2FA setup later this year.