> Password managers are phishing resistant. The browser plugin will not offer to autocomplete passwords on an identical-looking punycode domain.
True … but the reaction to this by the vast majority of users is to go "stupid password manager autofill not working again", and copy and paste their password out of the pw manager and paste it straight into the phishing site…
Well, IME this tends to happen on "let's be super secure and disable or otherwise break the login fields" sites, so I'm not sure these people will bother implementing actually useful security measures.
Once your next step is not necessarily a password, having just the single username input up front becomes necessary to avoid confusion. To support non-resident passkeys (passkeys on devices that can't store the username with the cryptographic key), we need to be able to prompt for the username, then offer them their passkeys to log in.
This does have the effect of making it slightly less ergonomic for just username/password input, but we did everything we could to mitigate this:
> First, I can’t do username <tab> password <enter>.
True, but we made it so you can do username <enter> password <enter>.
> Secondly, with auto fill, it requires two clicks to sign in.
True, but the way we've set it up should ensure the autofill did both immediately, so you don't have to activate your password manager twice.
The flip side is if you do use passkeys, it can be much quicker than any username/password input. For example, 1Password will show you your list of accounts as soon as the login page loads, and it's just one click to sign in.
Sorry to corner you here on unrelated topic, but I will take a chance on asking…
Why can I not pre pay my FastMail account? I have a three year subscription which ends in another 14 months. The UI indicates I will be auto renewed two days before my subscription ends. That is not a comforting margin for error in the event there is a billing issue for something as vital as email.
I can understand you do not want to let people pre-purchase infinite time, but you already offer the three year plan. Let me top it off well in advance of the expiration date, so I have ample time to resolve issues if they occur. Let me subscribe to an annual renewal, always maintaining a two year balance.
Coincidentally, checking my account now, I see my credit card on file is expired.
The short answer is our new billing platform (Paddle), which all new users are on and we're moving everyone to, doesn't support it. (We're moving from a home-grown billing solution to simplify our global tax compliance and give us support for more important things like billing in local currency.)
You can hack around it by converting to monthly billing (which will give you a credit), then immediately convert back to 3-year subscription (your credit will be used, so you'll only pay the difference). The end result is essentially identical to an early renewal.
I'd also like to reassure you that we don't immediately delete your account if renewal fails! We have a slow degradation process that gradually disables sending, then receiving, then finally access to anything other than billing if the account continues to go unpaid over several weeks. But our support team can (and do) delay this process if for whatever reason you are having difficulty making a payment and reach out to us.
I will definitely explore the monthly-conversion to re-subscribe. Thanks for the tip.
While not everyone would agree, it would be nice to see if the renewal attempt was made say a month in advance of the expiration date. My paranoid self thinks I am one long vacation + expired credit card away from losing my email.
As a rule, I try not to lean on the good graces of for profit companies. Having expectations for how long my account would be functional were I to miss a payment is a game I care not to play for vital services.
One of the benefits of Fastmail for me was the ability to prepay and be not bothered if the payment would be processed in time, works at all or whatever.
FM had a couple of stumbles for me in the last years (including shadow banning the account without any feedback at all), guess this would be the last nail for it.
Fastmail user here: you get a reminder a week or so ahead of time, and even if the payment doesn't go through, they don't shut down your account instantly. You get a few reminders. I even emailed support to ask for some time to settle my credit card and were okay with extending it.
IIRC, when my payment lapsed due to an expired card, I got plenty of time to fix the issue. In my case, the payment is taken from the card a whole month and a half before the invoice is generated (typically a different fiscal year, smh).
Thanks for the detailed response, I wasn’t expecting an official reply. I can understand the reasoning.
The mitigation is good, though I did like pressing tab and having @fastmail.com autocomplete, which doesn’t happen now unless the input box loses focus (so enter alone doesn’t work). However I’ll just get used to pressing <tab> <enter>. I am nitpicking. The implementation is excellent (particularly onboarding).
Have you contacted our support team about these issues? Both sound very unusual, and we'd be happy to look into them for you. Drop us a line at support@fastmail.com or you can create a ticket at https://support.fastmail.com/support/
We do this at Fastmail and, if I say so myself, our implementation is pretty damn good. We’ve had this for over a decade, so it was originally built for much lower powered devices.
(I work for Fastmail). I'm not quite sure what to make of this. We believe our search is generally as powerful as Gmail's, and in some ways more so (see all the things we support here: https://www.fastmail.help/hc/en-us/articles/360060591213-Sea...), but we're always happy to hear ideas for improvements.
> no partial matches
To make your search fast, we use an index. This means we match on stemmed whole words by default (so a search for "bus" would match "busses", but not "business" for example). We also support prefix matching, if you end with a `` (e.g. "bus" would match both "busses" and "business"). We cannot support pure substring matches. This is exactly the same as Gmail as far as I can tell (although their stemming algorithm is probably slightly different). Gmail also doesn't support prefix searches as far as I know, just stemmed whole word matches.
> no matches for spelling mistakes
I see if your result has no matches in Gmail, it applies spelling correction and shows you what results this produces instead — I agree, this is a nice feature, I'll add it to our ideas bank.
> weird indexing of some sort of email content (attachments?) that leads to a match when there is absolutely nothing related in that email
We index the contents of attachments (again, as does Gmail I believe). By default we search everywhere, including inside attachments if you just search for a word. Most users find this helpful. If you want to restrict to just searching the message content, you can do so with the `body:` operator.
> it has no idea about the context of the search to improve matches, like 'flight' being possibly related to e.g. travel
I'd love to hear more about how you expect this to work. Searching a Gmail account on the web for "flight" doesn't seem to do anything special I can see, but maybe it does so in their app?
(I work for Fastmail). Our search is comparable and in some ways more powerful than Gmail's search. If you're having problems, please create a support ticket (or just email support@fastmail.com) and we'd love to look into that for you. Thanks!
(I work for Fastmail). That sounds very surprising. Please email support@fastmail.com with the details and we'll be happy to look into it for you. I don't believe we've ever had an instance of Sieve not working correctly. (We have had plenty of reports that boiled down to people making errors in their Sieve scripts; we recommend most people use our UI instead to make their rules, to allow you to preview results and help ensure the syntax is correct.)
To change your default "From" address, go to:
Settings -> Signatures & Compose -> Compose options and it's the very first setting at the top. (Direct link: https://app.fastmail.com/settings/sending/composing).
You always use your username for authentication. (But it's not special other than that; you can send from any of your addresses equally.) You can rename your user to your address at the custom domain in Settings -> Team & Sharing -> User management. (Direct link: https://app.fastmail.com/settings/team/users).
Ah. I didn't think to look there. I was looking for a setting in the UI for the particular address.
I'll check this now.
Tho' I still don't like the idea that the email I'm using is auth'ed with my FM admin address. Meaning I'm also logged in as admin even tho I only want to be limited to using my custom domian email - nothing more, nothing less.
(Architect of Fastmail's login/account recovery protocols here.)
Firstly, I will say this incident was unacceptable, and we were deeply sorry about it. However, it is also the only time it has happened in our over 20 year history (to the best of our knowledge of course). We already had several projects underway to improve the security of account recovery at the time, which unfortunately hadn't quite landed yet. Since then we have introduced an automated recovery tool with a very carefully designed flow (more info: https://www.fastmail.com/blog/security-account-recovery/) that securely handles most common cases (e.g., forgotten password, or user's account stolen due to password reuse/phishing). Human support is still available, but any account recovery request can only be handled by senior support agents who have undergone rigorous training, and in the case of any doubt are escalated all the way up to our senior security engineers.
Elsewhere it's been mentioned that different people may have different priorities in balancing ensuring they don't lock themselves out, versus ensuring an attacker can never access their account. We provide some flexibility here. If a user has 2FA enabled, we must verify two separate means of verification to grant access, whether via our automated tool or support-assisted recovery. Users can also submit a support ticket to request we add a note to their account to never do human-assisted recovery.
I realise it's very hard to assess the security competence of an organisation from the outside, and for what it's worth, we think the Google security team also do an excellent job. But overall I think we do a very good job of keeping users secure while not locking them out of their own account.
> Elsewhere it's been mentioned that different people may have different priorities in balancing ensuring they don't lock themselves out, versus ensuring an attacker can never access their account
Thank you, this is the most important observation.
Service providers should be providing flexible mechanisms to meet different needs, they should absolutely not be imposing a one-size-fits-all policy. That's the fundamental wrongness with google/facebook and their ilk.
Only I know what the security levels I need for any given account I own. I must be able to configure the policy.
Sometimes, I value my access above all else. With some other account I may value preventing access to others even at the risk of losing access myself. Other variants are possible. Only I know what the correct policy is in any given case.
True … but the reaction to this by the vast majority of users is to go "stupid password manager autofill not working again", and copy and paste their password out of the pw manager and paste it straight into the phishing site…