Fastmail not taking security seriously?

About three years ago I figured I’d had enough Google-control of my online communication and was looking for an alternative email-provider. A friend of mine recommended Fastmail, which seemed like a good solution: Great web-interface, Android app, and the possibility of using an address from my own domain.

I signed up and have been using Fastmail since (with a redirect from my Gmail-address). The service has had some small issues (mainly the Android app being anything but “fast”), but overall I’ve been a happy customer.

Yesterday I figured out that I wanted to test 1password, moving away from LastPass after the recent security issues. In this process I decided to use the “generate password” functionality in 1password to set a new, strong password for my Fastmail account. Before I did that I made sure to set the “Account Recovery” email and phone number, so that if I made en error I would still be able to access my email.

And I was right. Indeed I made an error. I copied the generated password from 1password and pasted it into the change password dialog on fastmail. This logged me out, and then I managed to copy something else, removing the password from my clipboard. Then I managed to do something stupid in the 1password app, and my generated, 30-character, completely random, password was lost. I had managed to lock myself out of my email-account! Stupid! But hey, I have a recovery-email, right?

So I headed to the “Lost password screen” and typed in my gmail.address (to which I 10 minutes before had recieved a confirmation mail from fastmail).

Then I got the message:

The existing email address you entered was not for an existing user, or was for an account that has been disabled. Please try again

What?! Ok, after re-trying 5-6 times i had to open a ticket and provide a lot of information to regain-access by a manual process. In the ticket I wrote:

Thanks for the verification details.
I have now set your backup email address to:
*****@gmail.com

And I’m back in. Hooray! But I’m still wondering why the recovery email I entered did not work, so I’m asking:

Wasn’t my backup email set, or was there some problems regarding this feature? I am quite sure that I set my backup email yesterday.

The reply to this confused me:

Looks like the backup email address was not set. We then set it from our end and it worked for you. Please let me know if you need any further assistance.

After some back and forth I find out why:

Did you set this address from the Password & Security screen? If that is the case, you had set the “Recovery email address”. This is currently different from the backup email. Backup email can be set from the backend only.

And the password reset can be done using the backup email address only. The recovery process through recovery email address is not yet released into production. So I am afraid it will not work as of now.

What the actual, flying, fuck? The “Password & Security screen” is a frontend for some code that does not work? It presents itself as a way of setting a recovery mail, while it actually does nothing? The situation seems to have been like this for about 8 months, as this page from july 2016 clearly states:

Add your mobile phone number(s) and backup email address to the recovery options on the Password & Security screen. If you get locked out, we can use this to help verify your identity and restore access to your account.

I did express these concerns, and the reply I got was:

I really understand your frustration. I am sorry about that. I will pass your feedback to our supervisors.

We hope to implement the recovery procedure very soon.

But who knows? If they’ve been delaying this for 8 months now, I’m not confident that this will be fixed anytime soon, and that the “Password & Security screen” will continue to be a non-functioning, misleading page that does nothing but confuse the users. If the information isn’t used, don’t give the user the impression that it will. I can understand that not everything can be implemented at once, but have the balls to admit it, don’t lie to me. And about security issues? This is talentless!

So, to recap: The “Password & Security screen” of Fastmail is a sham. The information used there is not used. In order to regain access to your account if if loose your password you have to have a “backup email”. This backup email is not the same as the “recovery email”. The backup email has to be set by Fastmail staff.

3 thoughts on “Fastmail not taking security seriously?

  1. Ryan

    What happened when you tried resetting through SMS. I work at Thexyz Webmail and SMS authentication is the only option to reset a password for the reason that many people do not have a secondary email address.

  2. Atle Post author

    Resetting through SMS was not an option. It’s the same as with the recovery email. You are able to enter it in the settings, but it wont be used for actual recovery

  3. Ryan

    They must get flooded with password reset requests to do this manually. The automated mechanism took over 12 months of development for us to complete so I think that 8 months working on this is not unreasonable.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>