I saw this in a recent newsletter from fastmail.fm, and went for a further look. It's good to see that, among the welter of webmail providers all eager to sell you convenience and free disk space, there is at least one which is thinking seriously about ways to mitigate risk for an increasingly mobile user population.
The options aren't necessarily new; for instance; one is to get a list of random numbers to use as one-time-passwords (OTPs). Users of German online banking systems will have been familiar with this in the form of TANs, or Transaction Authentication Numbers, for years. In some TAN implementations a PIN is also required; in the fastmail implementation they have added a "base password" to protect against the risk of losing your list of numbers.
Clearly, there are those who will not find it convenient to carry a piece of paper around with them just in case they want to check their webmail (paper... it's just so...biological...); for them, there's the option of an out-of-band OTP sent to your phone as an SMS.
The fastmail folks have also come up with some other sensible options; for instance, if you have authenticated using a one-time password, the default session length comes down to one hour - after that you have to re-authenticate (normally their default is to log off inactive sessions after a couple of hours). There's also the option to specify that, if you've authenticated using a one-time password, a number of housekeeping and administrative functions can be made inaccessible.
All in all, in these days where convenience is supposed to be the be-all and end-all, I find it reassuring to see that some service providers are prepared to credit users with a little more concern for security.
Disclaimer: I have no commercial or professional stake in fastmail, though I am a user.
![[RSS Newsfeed]](/themes/sotto/images/valid-rss.png)
![[This is a Roller site]](/themes/sotto/images/roller-logo.gif){kind=logo}