Access to email should always be protected by 2FA itself, and email makes for a possession factor… Possession of the email account. Obviously if this isn’t strong, that’s really bad. But it is 2FA.
2 Likes
In practice we don’t treat email as something that needs to be secured, so if you have the phone you have the email account… which underlines why it’s so important that the phone is properly protected in the first place.
I agree the PIN is enough as a second factor, you remember it, you never tell it to anyone else, and if someone has it and your phone the monzo app is the least of your problems…
1 Like
Which is something people need to get in the habit of changing. Your email account is one of the most important assets you have to secure extremely well, as so much can be had from getting access to it.
5 Likes
Yeah, but it’s also too inconvenient to use 2FA for. My email is something I need to not be locked out of when I’m having trouble with my devices and need to access it from another computer.
1 Like
Use FIDO U2F? That’s what I do.
Not sure what any of that means. 
Basically, it’s a key you can use as your second factor. This Feitian one works well, and supports USB and NFC. I’ve had some corrosion issues with them, but they’re cheap and still function.
Ah, I see. Thanks, I’d never heard of this before, very interesting. However, my email is one of 3-4 things that I want/need to be able to access with just what is in my head (as in it’s one of a very few passwords I have memorised).
It’s also one of the things an attacker would most love to access. I have a code generator (TOTP) synced to multiple phones (Authy), and two FIDO U2F tokens, one in my wallet and one in my backup wallet. It’s very unlikely I’d ever not have a way to access it.
I know it’s a bit of a hassle, but nowhere near as much as cleaning up after someone gets in your email!
2 Likes
Do they only work on standard size USB as on PCs or do any fit the mini-USB found on phones or tablets?
I imagine they would work with an O2G adapter, but I haven’t tried. I use NFC with my phone.
2 Likes
I pay for an email account with fastmail, which supports U2f and Yubikey: https://www.fastmail.com/help/account/2fa.html
I have also set up security with the Authy app. You can specify which devices don’t require two-step verification, so as to minimise inconvenience when accessing email form your home PC, say.
However, email clients, including those on mbiles, require dedicate app passwords: https://www.fastmail.com/help/clients/apppassword.html
Fastmail sets up a password just for that client, with the level of access you specify (just email, email and contacts, etc.). So if you lose your phone you simply disable that app password, which makes sure the phone can no longer access your email. NB: you cannot use your standard password, you must use these dedicated app passwords.
Authy and 2-step verification can be sued on gmail, too, but app passwords set fastmail apart, IMHO.
Gmail has app passwords too, they’re slightly less secure. You don’t need to use them for most clients anymore, but you still can for legacy clients.
Precisely! Too many people don’t realise the importance of securing their email account. It’s a goldmine for criminals!
2 Likes
I made the mistake of resetting my phone once, without being logged in to google on desktop. Took ages to get back in as my phone was the 2FA for it 
Still, was faster than the weeks it took Apple to recover access to my account.
I’m not too trustworthy with email these days though. Before Christmas Microsoft accidentally terminated my brothers email trying to fix his xbox account. It’s now vanished completely, unrecoverable, no emails, and he can’t re-register it until that address becomes ‘available’ again.
That used to be where his PayPal, eBay, card insurance etc etc was all registered. I don’t know if anyone’s ever tried to explain to a customer support rep on the phone that you have to update your email address because ‘Microsoft accidentally deleted your email account’. but they tend to not believe you. Luckily you can still request to change your contact details by post 
That’s one of the reasons why I pay for a fastmail account. Email is too crucial - I don’t want to depend on someone who provides me with a ‘free’ email service and who is therefore not accountable to me!
3 Likes
Just going to put this here…
1 Like
Absolutely agree, I think having control over your own digital self where possible is vital.
I’ve got a middle-ground approach here… my email is currently via a Google account, but it’s G Suite (formerly Google Apps) using my own domain. So the worst-case scenario is if Google were to terminate my account mistakenly, I would retain control of my domain and switch to an alternate provider to continue receiving emails.
This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.