Ask HN: Fastmail 2fa via Google Authenticator useless?

[outerspace]

Fastmail supports 2fa via Google Authenticator (and alike). However, according to their documentation:

"Before you can enable two-step verification, you must add a recovery phone to your account. This is to prevent you from being locked out of your account should you ever lose access to your main verification device. You get a code sent to your phone instead to complete your second step when you log in."

Doesn't this defeat the purpose of having Google Authenticator (or any other 2fa app)? If I understand this correctly, they seem to be switching back to SMS 2fa if the authenticator fails.

[nmjenkins]

(I designed the FastMail 2FA system)

Short answer to your question: no.

We are concerned with both keeping other people out of your account and making sure you still have access to your account.

For most users, the risk of losing their authenticator token or security device and so getting locked out of their own account is greater than the risk of someone hijacking their phone number. This is why we require you to add a recovery phone first.

It's very important to note that if you have 2FA enabled at FastMail we always require two factors to access or recover your account. Hijacking your phone is not enough: the attacker would still need to have also stolen your password. And hijacking your phone number is a very visible move, which you will quickly notice. In the highly public cases we've seen of this kind of attack over the last few years, I believe in every one the attacker has not had the password, and has only succeeded because they could gain access to the account with SMS alone.

For advanced users you can remove the recovery phone at FastMail after setting up 2FA. If you do this, I strongly recommend you write down your recovery code and store this somewhere safe and set up at least two different authentication mechanisms.

[troydavis]

It's not just FastMail. Most other 2FA-enabled sites (including Google) offer and recommend providing a phone number as a delivery method for a onetime code.

The 2nd factor is only as secure as to the weakest delivery method, though, so defining a phone number does make that factor subject to porting and SS7 attacks. Most sites offered text message backup codes before those attacks had been seen in the wild, but they're probably also stuck with a lot of users who didn't write down their recovery codes.

There's no good recovery option with a large userbase. The closest is Delegated Recovery (https://m.facebook.com/notes/protect-the-graph/improving-acc...) but GitHub and Facebook are among the few, if not the only, implementors. Without that, eventually someone will lose or break their phone, realize Authenticator TOTP keys weren't in backups, realize they ignored the instructions to save the backups, and go to support.

As long as you actually do print and securely store the backup codes, I think there's a good argument for not giving your phone number as a backup method.

[md_]

One point not mentioned by others here:

In the case where recovery entails a required password change and the site imposes some password history--the common case, though I don't know if this is true of Fastmail--the real account holder is guaranteed to notice if a recovery event happens, whereas ordinary password+SMS-interception may not be noticed.

So, yes, for the most part this is as weak as SMS second-factor--but it's less likely to go undiscovered by the real user.

[alltakendamned]

Not really in my opinion, the threat model becomes different.

2 factor authentication is used to avoid attacks when your credentials/password are lost/leaked/stolen. Many people reuse their password or have a weak password. Having 2FA enabled also improves protection against brute force attacks It does not take into account the threat of having your phone stolen or an SMS intercepted.

So as an attacker, you still need the login/password/phone combination to authenticate. The phone can be replaced by an intercepted SMS, while it has been shown it can be done, I wouldn't call it easy. There is no way to update the phone number while not authenticated and Fastmail requires a second password confirmation before updating anything in password settings.

When you lose the password, now the attacker needs the phone or needs to intercept an SMS. When you lose the phone, the attacker still needs to bypass the lock screen and know the username/password of the Fastmail account.

What would you suggest to improve this? Recovery via email is no good as email can be intercepted as easy as SMS and a phone call is no good as that can be social engineered.

It's pretty much OK in my book, you simply shouldn't think that 2FA means there's zero risk.

[guillaume8375]

It’s true you must give Fastmail a phone number to set up 2FA, but you can erase the phone number once 2FA is in place.

[mtgx]

It does.