Multiple ways in: keeping password reset secure

Product

This is the fourth post in a mini-series about security, to mark an upcoming security upgrade to our login and authentication system. All new changes will be launching on Monday, 25th July 2016 except for the new automated account recovery tool, which will be released a few weeks later.


As explored in the previous posts, authentication is all about letting you access your account, while stopping anyone else from getting in. To prove that you really are who you say you are, you normally enter a password and maybe a second factor (such as a one-time code from your phone). But in the real world, passwords are forgotten, phones lost or stolen, and credentials phished by spammers (causing us to have to lock the account to prevent abuse).

In all of these cases, we want to restore access to the rightful owner, but we have to be very careful not to make this a back door that allows an attacker to easily bypass the security of the normal login process. Over the years, this has been a common source of security holes in many web services.

Following the security upgrade launching on 25 July, we will soon be introducing a new recovery tool to let you reset your password and regain access to your account should you get locked out. The automated process uses a consistent set of well-reviewed conditions to decide whether sufficient evidence has been presented to grant access, and avoids the need to contact support in most instances. This makes it quicker for you to regain access when you need to, and also reduces the risk of a social engineering attack succeeding (where attackers try to trick our support team into giving them access to an account). With most legitimate cases handled by the automated process, we can restrict any manual intervention to senior support staff only, well aware of the dangers.

Recovery contact details

Recovering access generally requires some way for us to contact you using an alternate method, verified as linked to your account. In the past, you've been able to add a "backup" email address to your FastMail account, which we could use to help you restore access to your account. With the new security system, you will now be able to add more than one email address, plus also your phone number(s) to your account. If you get locked out, we can email or SMS a code to any of your recovery contact details to help you regain access.

As always, we take your privacy very seriously and will only ever use these details to keep your account secure. We never share them with anyone else.

In addition, each account will now have a unique "Recovery Code". We recommend you write it down or print it out and keep it in a safe place. This code can be used as part of our new account recovery process instead of a recovery email or phone. You can reset your recovery code from the security settings at any time if you think someone may have seen it.

Two-step verification and account recovery

Two-step verification is an excellent way to protect your account, and our new system makes it super easy to set up and use. We've carefully designed our new account recovery process so that if you enable two-step verification, it will also require two separate factors before we will allow access to your account.

To help make sure you don't get locked out, you must add at least one recovery phone number to your account before two-step verification can be enabled. We strongly recommend you also print out your recovery code.

A crucial time lock

Although rare, sometimes attackers manage to steal access to recovery emails or even phone numbers, and then use these to try to gain access to your account. For example, a succession of weak password reset processes at various companies allowed attackers targeting Wired reporter Mat Honan to take over his email, Twitter and even his iPhone and Mac. The best defence against this kind of attack is to enable two-step verification. But we're also adding a final layer of protection: when you successfully reset the password for an active account, we will email a notification to the account and wait 24 hours before the new password comes into effect. The email will contain links to immediately confirm or reject the password change, so in the common case of having access to the email via your phone or some other client, you don't have to wait. But if it turns out to be an attacker, it alerts the real user and gives them a chance to stop the reset.

This delay saved our bacon when an attacker tried to socially engineer our registrar into giving them access to our domains, and it would have saved Mat in the attack linked to above. We believe this is a good trade-off in slight inconvenience in some cases against the potential to prevent massively devastating attacks in others.


Got any security questions or recommendations? Tweet us @FastMail using the hashtag #securitymatters.