Two-step verification and other new security features

Post categories

Profile picture for Neil Jenkins

Chief Product Officer

Your FastMail account is valuable. It’s your identity in the online world, your username on the web; it’s how you identify that you are you electronically. Companies use it to deliver important information to you. Your stored mail contains memories, personal details and sensitive or critical information.

Making sure that you, and only you, have access to your account is a top priority for us at FastMail. That’s why today we’re delighted to announce a raft of new features to help you keep your account secure.

What do I need to do?

Unless you are currently using our “alternative logins” system, there is no immediate change to your account. Probably the most noticeable change is that the login box is now on its own page, not the homepage.

We do recommend you review your account recovery options by going to the new Password & Security screen, and that you add at least one recovery phone number. As always, we take your privacy very seriously and will only ever use these details to keep your account secure. We never share them with anyone else.

If you were using our alternative logins system

The new combination of two-step verification and app passwords is replacing alternative logins. You will need to migrate over to the new system by the 31st August, when all remaining alternative logins will be removed.

A few rarely used types of alternative login were discontinued today. If you had one of these set up, you will no longer be able to use it to log in. You will need to use your master password. The affected types are:

  • Yubikey one factor (no base password)
  • 1 hour SMS
  • 1 hour printed OTP list
  • Printed OTP list

What are the new features?

All new security features can be viewed and configured on the Password & Security screen. You will need to type in your password at the top and unlock the screen to make any changes.

Two-step verification

Two-step verification (also known as ‘two-factor authentication’ or ‘2FA’) increases the security of your account by requiring something you have (your phone or a special security key), to be paired with something you know (your password), in order to log in to your account.

If you choose to enable it, when you log in you’ll first enter your username and password as normal. After you submit this you’ll then be prompted to finish logging in with any of your registered devices. You may add as many second factor options to your account as you like – you can use any one of them to log in.

Even if you don’t usually log in over the web interface, spammers, phishers and other nefarious villain types do: stop them in their tracks. Learn more about two-step verification in our help.

Note for users of our old “classic” interface: To configure the new security features you will need to log in to our normal interface. Only TOTP and Yubico OTP are supported with the classic interface; you cannot use SMS or U2F to log in.

App passwords

If you turn on two-step verification, you will now need a separate password for each third party app that accesses your account (This does not include the FastMail mobile app.) Don’t worry, you won’t have to remember it! We’ll generate a secure password for you. This password can’t be used to log in to the web interface (and so can’t change any of your settings), and can be restricted to specific protocols (e.g. just mail, or just calendar) for further security.

You can see when each of your app passwords was last used, and the location/IP it was last used from, on our updated Password & Security screen. If you lose a device, go here to immediately revoke access, without having to change your password elsewhere.

App passwords can be used even without two-step verification. We will gradually move all users over to app passwords for client access over time.

Learn more about app passwords in our help.

New server names

Because messagingengine.com is hard to remember and even harder to type (especially on mobile), we have now added support for all our services on a simple to remember scheme of {protocolname}.fastmail.com. We have updated our docs to use these server names, and recommend using them instead of *.messagingengine.com for setting up all new apps in the future.

If you are updating a 3rd party client to use an app password, please also switch to the new server names, to save having to update it again in the future.

The new server names are:

  • IMAP: imap.fastmail.com (port 993, no prefix)
  • SMTP: smtp.fastmail.com (port 465)
  • POP: pop.fastmail.com (port 995)
  • CardDAV: https://carddav.fastmail.com
  • CalDAV: https://caldav.fastmail.com
  • WebDAV: https://webdav.fastmail.com
  • FTP: ftp.fastmail.com (port 21)

There are two important changes compared to the messagingengine.com servers:

  1. You must use an app password. To log in with the new server names you must generate an app password for each app you wish to use; you cannot use your normal FastMail password.
  2. The IMAP server at imap.fastmail.com is set up to use alt-namespace and unix path separators. In plain English, this means you should get better compatibility with email clients (no more top-level folders appearing as sub folders of your Inbox!). The Inbox Path Prefix must now be left blank.

As with the *.messagingengine.com server names, all of these protocols MUST be used with an encrypted (TLS/SSL) connection.

Restrictions lifted on password format

To ensure compatibility with all the various protocols and 3rd party apps we support at FastMail, in the past we have had to restrict which characters were allowed in your FastMail password, and limited it to a maximum length of 50 characters. With the introduction of separate app passwords, we have now removed these restrictions.

New recovery options

If you get locked out of your account, because you’ve forgotten your password, or lost your second factors, or your credentials are stolen, we need to make sure you’re really you before we allow access again. You can now add one or more mobile phone numbers and external email addresses that belong to you, which we can send a code to as part of our new recovery process to help you regain access. As always, we take your privacy very seriously and will only ever use these details to keep your account secure. We never share them with anyone else.

In addition, your account has a unique “Recovery Code”. You can view this in the new Password & Security screen; we strongly recommend you write it down or print it out and keep it in a safe place.

A new automated recovery tool is coming soon, but for now continue to raise a support ticket if you’ve forgotten your username or password.


If you’re having problems getting set up, check out our troubleshooting section in our online help.

Got any security questions or recommendations? Tweet us @FastMail using the hashtag #securitymatters.

Profile picture for Neil Jenkins

Chief Product Officer