Two-factor (SMS) authentication now easier for businesses/families

Rob Mueller – 7 August 2009

For over a year now, FastMail has supported two-factor authentication via SMS and one-time passwords. As a quick reminder, the way this works is:

  1. A user creates a new login password via the Options –> Alternative Logins page
  2. For a “one-time” alternate password, the user is shown a screen of one-time passwords they have to print out. Then each time they want to login, they use one of the passwords off that list, and cross it out because it can’t be used again
  3. For an “sms” alternate password, the user logins in with that password, and then a one-time password is sent to the users phone (as configured on the Options –> Personalities screen for the default personality) that they can use to login

This is especially useful for people travelling and using Internet Cafes or kiosks that they don’t necessarily trust, and might be infected with keyboard logging trojans that steal passwords. With a one time or sms password, the password can only be used once and is thus useless if stolen.

Additionally for extra security, the alternate logins can be setup as “restricted logins”. When using a restricted login, no emails for files can be deleted, so even if somehow a hacker hijacks your session, they can’t delete or damage any email or files in your account.

While these feature are very useful from a security stand point, the one-time passwords requires some pre-planning to print out and carry around the one-time password list, and the SMS passwords require purchasing SMS credits in your account.

For businesses and families, we’ve now made the SMS passwords easier to use. Basically now only the business/family has to buy SMS credits, and then any user in the family/business can use those credits to have an SMS password sent to them. This feature has to be enabled for the business/family on the Manage –> Business/Family Preferences screen via the Allow SMS two-factor logins preference.

So the detailed steps to make this work are:

  1. An administrator of the business/family has to login, go to the Manage –> Business/Family Preferences screen and enable the Allow SMS two-factor logins checkbox. After doing this, a new Buy SMS Credits option will appear on the Business/Family screen and in the sidebar
  2. Then the administrator has to purchase SMS credits via the Manage –> Buys SMS Credits screen
  3. Each user that wants to use an SMS login then has to login to their own account and go to Options –> Personalities and set the Mobile number on their default personality, and then go to Options –> Alternative Logins and create an SMS Password which they can then use to login and trigger an SMS password to be sent to their phone