FastMail supports using a Google Authenticator client (or more generally, an OATH TOTP client) to login to your account via the web interface.
To setup a Google Authenticator login, just go to Advanced then Alternative Logins and create a new Google Authenticator alternative login.
On the login page, enter your password into the password field, followed immediately by the numeric code shown in your Google Authenticator client.
We've tested our Google Authenticator support with the official Google Authenticator clients for iOS and Android, and recommend those. You should note that neither the Google Authenticator client itself nor our server implementation is specific to Google in any way and does not ever communicate with Google systems as part of its operation (or anything other systems for that matter). "Google Authenticator" is the name of Google's client implementation, which has become synonymous with the authentication method itself.
Because this authentication method is an open standard you'll find clients available for most other platforms. Any client that claims to support the Time-based One Time Password (TOTP) algorithm from the Initiative for Open Authentication (OATH) as specified in RFC 6238 should work.
When you setup your Google Authenticator alternative login, FastMail creates a secret code based on your username, the current time and some other random data. You import this into your Gooogle Authenticator client (or other TOTP client) using the provided QR code or by entering the code manually.
Every thirty seconds, your client combines this secret key with the current time to produce a six-digit number. When you enter this number into the password field when you login, FastMail uses the secret code and its own concept of the current time to produce its own six-digit number. If your number matches ours (and the base password also matches), your login is successful.
This requires that your client and our servers have their clocks in sync. Because our servers synchronise times from the same global source as most mobile network operators use to set the time on mobile devices, its quite rare for clocks to fall significantly out of sync. We have taken some measures to adjust for small differences in time between the Authenticator client and our servers, so in practice the OTP numbers generated will be valid for about 90 seconds.