For over a year now, FastMail has supported two-factor authentication via SMS and one-time passwords. As a quick reminder, the way this works is:

  1. A user creates a new login password via the Options –>
    Alternative Logins page
  2. For a “one-time” alternate password, the user is shown a screen of
    one-time passwords they have to print out. Then each time they want
    to login, they use one of the passwords off that list, and cross it
    out because it can’t be used again
  3. For an “sms” alternate password, the user logins in with that
    password, and then a one-time password is sent to the users phone
    (as configured on the Options –> Personalities screen for the
    default personality) that they can use to login

This is especially useful for people travelling and using Internet Cafes or kiosks that they don’t necessarily trust, and might be infected with keyboard logging trojans that steal passwords. With a one time or sms password, the password can only be used once and is thus useless if stolen.

Additionally for extra security, the alternate logins can be setup as “restricted logins”. When using a restricted login, no emails for files can be deleted, so even if somehow a hacker hijacks your session, they can’t delete or damage any email or files in your account.

While these feature are very useful from a security stand point, the one-time passwords requires some pre-planning to print out and carry around the one-time password list, and the SMS passwords require purchasing SMS credits in your account.

For businesses and families, we’ve now made the SMS passwords easier to use. Basically now only the business/family has to buy SMS credits, and then any user in the family/business can use those credits to have an SMS password sent to them. This feature has to be enabled for the business/family on the Manage –> Business/Family Preferences screen via the Allow SMS two-factor logins preference.

So the detailed steps to make this work are:

  1. An administrator of the business/family has to login, go to the
    Manage –> Business/Family Preferences screen and enable the
    Allow SMS two-factor logins checkbox. After doing this, a new
    Buy SMS Credits option will appear on the Business/Family screen
    and in the sidebar
  2. Then the administrator has to purchase SMS credits via the
    Manage –> Buys SMS Credits screen
  3. Each user that wants to use an SMS login then has to login to their
    own account and go to Options –> Personalities and set the
    Mobile number on their default personality, and then go to
    Options –> Alternative Logins and create an SMS Password
    which they can then use to login and trigger an SMS password to be
    sent to their phone