How to keep your account more secure with 2FA

Product

This is the fifteenth post in the 2017 FastMail Advent series. The previous post investigated why FastMail doesn't support multiple billing accounts for a single custom domain. The next post reminds you about the power of organising your mail with rules.


Last year we talked about the importance of keeping your email account secure and we thought it would be a good time to revisit some of this important information, especially as the volume of mail increases as we stare down another holiday season!

Just having a password isn’t enough

In today’s electronic environment only having a password is not enough to keep your FastMail account secure.

Some of you might be asking how could this be? Surely that’s what my password is for?

Unfortunately online fraud is more prevalent than ever before and criminals may guess weak passwords or use dubious means to try and more bypass stronger passwords.

Note: Make sure you don’t use the same password across different accounts. Put more simply: make sure you’re using a different password for your FastMail account to that of your banking or social media accounts.

So what can I do to help keep my account safe?

One of the best ways to secure your FastMail account is with something known as two-step verification or 2FA (it’s also called two-factor authentication).

If you’ve never heard of 2FA before, don’t be put off by the seemingly technical term – we’re here to help!

Using two-step verification means an attacker can't get in to your account using just your password. If they don't have your verification device as well, they will be locked out.

So let’s look at what this actually means in just two steps:

Step 1 – Your password

The first step for securing your account is through your account password. Make sure you have a unique password for your FastMail account. Our interface will make sure your password is sufficiently strong.

You can also use a password manager tool so you don’t have to remember the password (the password manager can even generate a complicated password for you so it's completely unguessable). Most importantly, a password manager is never fooled by a site pretending to be FastMail (or your bank). If the URL (site address) is different, it will not fill the password in. We recommend 1Password or LastPass.

Step 2 – Something you have

The second step is to then combine your password with something you have to enable two-step verification, or 2FA, on your account.

What do we mean by 'something you have'?

Most of us have a mobile phone these days: this can be your second step of verification if you use an authenticator app. These are free to install on your phone and will generate random codes for you.

If you’ve set up 2FA with an authenticator app you’ll be prompted to manually type in a code from the app when logging into your account.

With FastMail you can also choose to receive SMS codes to your phone (you may have already experienced this type of authentication method from other services such as your bank). Just like the authenticator app code, you’ll be prompted to manually type the SMS code when logging into your account.

Note: you’ll need to use an authenticator app if you’re using the FastMail app on your iOS/Android device.

The other ‘something you can have’ is a physical security key. This a small security device specifically designed for 2FA and will usually plug into the USB port of your laptop or computer.

We’ve tested a variety of different security keys, and any key that supports "U2F" should work. We do recommend YubiKey, as in our experience these have the best build quality, a slim profile and are reliable; you can buy one from the Yubico store.

You can also use a standalone ‘one-time password’ OTP hardware device (We've tested with Feitian c200 devices but any device implementing the TOTP standard should work).

What else do I need to know about setting up 2FA on my FastMail account?

Before you can enable 2FA, you must add a recovery phone to your account.

This prevents you from being locked out of your account should you ever lose access to your main verification device. You get a code sent to your phone instead to complete your second step when you log in.

It is good practice to also add a recovery email to your account. This can be a backup account you own, or someone else you trust with your email who you would like to be able to gain access in the event of an emergency.

We strongly recommend making a note of your recovery code. If you forget your password or lose your security device(s), you can use the recovery code to reset your password and restore access to your account. Write it down or print it out and keep it somewhere safe!

Of course, in an ideal world, all passwords would be a secret, known only to yourself. But the more a password is used, the more exposed it becomes to malicious attackers.

The point of 2FA is that if someone does manage to steal your password, they still can't use it to log into your account without your verification device.

Your two-step verification keeps your password safe which in turn helps protect your stored mail and identity in the online world.