Yahoo To Open Up Email Authentication

Aditi.Tuteja writes, "Yahoo has announced it will give away the browser-based authentication used in its email service, considered to be the company's 'crown jewels.' Yahoo made the announcement ahead of a 24-hour 'Yahoo Hack Day,' where it had invited more than 500 mostly youthful outside programmers to build new applications using Yahoo services. Considering the different needs of its huge user base (257 million people use Yahoo Mail), Yahoo has decided it can't build or buy enough innovation, so they are enlisting the worldwide developer community." The code will be released late in 2006. Yahoo notes that there are 'no security risks' since they keep absolute control of usernames and passwords.

Yahoo for yahoo.

[Guitarhero1000]

Now if they can just work on all the spammers, and fake porn bots that infest the network, then they may have something going for them. Hiring the world to do thier work. BRILLIANT!

Re:Yahoo for yahoo.

Hiring the world to do thier work. BRILLIANT!

I really wish people wouldn't do this crap. It's not Mom and Pop's Search Engine Co. It's frigging Yahoo. If you want programmers, pay some damn programmers.

DARPA Grand Challenge, sure. Nobody's getting your crap for free when you're done. GPL, sure. They only get it if they give back. But stupid competitions like this just feed cash into the already-cash-filled pockets of corporations. Not that corporations making money is a bad thing, but we don't need to hand them more for driving down programmer wages.

Good for Yahoo

[lewp]

In their struggle to maintain relevance in the face of Google, Yahoo has really done a complete 180 from the days when their main service was a manually-reviewed index of websites. They've had the good sense to keep their noses out of (e.g. Flickr), and they've made some cool products/technologies available to the developer community for free.

Google gets all the press nowadays, but Yahoo's been pretty cool lately as well. Props!

Re:Good for Yahoo

"They've had the good sense to keep their noses out of the things they've acquired (e.g. Flickr)"

So maybe I've been drinking...

Re:Good for Yahoo

[dragonquest]

Exactly. A lot of people bash up Yahoo, but they seem to be doing a fair job maintaining their status as the highest traffic website. Granted that their user base is not exactly the most elite on the web, but the company as a whole is giving pretty good (if not excellent) services to its users. And the highlight of this has been its acquisitions. Like flickr and del.icio.us (which they intelligently kept separate from Yahoo MyWeb 2.0). Google is going great guns, but for me Yahoo is the player to beat to be no.1 in the web race. There's a useful list of Yahoo acquisitions here.

Re:Good for Yahoo

[manastungare]

I thought they did a 360, really?

Re:Good for Yahoo

[Machtyn]

You've got to wonder about Juno. When Google announce 1GB of storage space and Yahoo! and MSN followed shortly by increasing space from 5MB to 20MB to 1GB, Juno decreased storage from 5MB to 2MB... and then reduced their free service even more by discontinuing their offline storage, and then making you pay for that 2MB of storage. Problem for me is that I can't even delete my Juno account. It's too bad, Juno was a decent service when it was relevant.

257m users.

How many of those 257 million users are spambots?

Re:257m users.

I would estimate that the vast majority are either spambots, duplicate accounts, or long-idle abandoned accounts. I wouldn't even be SLIGHTLY surprised if this is true of better than nine out of ten of these "users".

Re:257m users.

[Jekler]

Well, I have at least 4 abandoned accounts there (lost my password on at least 2, another account became unusable after converting an account to SBC/Yahoo DSL and later switching to another ISP). So Consider I'm only 1 person with at least 5 accounts... and that's probably not entirely unusual. I'd figure 257m translates to 3-4m unique people.

Re:257m users.

[rvw]

So Consider I'm only 1 person with at least 5 accounts... and that's probably not entirely unusual. I'd figure 257m translates to 3-4m unique people.

Yeah right! Everybody has as least 50 accounts. And some people even have more than 100 to compensate for that one stupid user who has only one. You probably graduated in math?

Re:257m users.

[mysticgoat]

I've got 2 abandoned Yahoo accounts of fairly recent vintage (1 to password hassles, 1 was a throwaway I used for learning some stuff about the warez scene). That's in addition to my active Yahoo account.

I've also got at least 2 abandoned GeoCities sites, back from the day before Yahoo's acquisition of same. And possibly 3 or 4 other abandoned sites, because when they attempted to merge GeoCities with Yahoo they kept screwing up my access.

So I can account for at least 5 and possibly 9 of their "users". If my experience is typical, their user base of unique individuals might be a small fraction of what they claim.

It seems to me like...

[RuBLed]

...social websites allowing their users to customize the css templates of their profile pages. There would surely be a few good innovations but like 70% of my friends "customized profile pages", most would visually painful enough that.. arrghhh..!! *head explodes*

Maybe I'm Jaded...

...but it sounds to me that they're trying to get their work done for free by using OSS devs.

/* Shrugs */

Then again, Yahoo != M$.

(on an unrelated note, the new webmail service is rather slick.)

But Yahoo email login work with FF passwords?

[denis-The-menace]

Does this mean that I'll be finally able to login into Yahoo email with the built-in password handling in Firefox?

If so, I'll believe it when I see it.

Re:But Yahoo email login work with FF passwords?

[closetphilosopher]

I don't know about Yahoo, but for other websites that prevent password saving, use the bookmarklet at http://www.squarefree.com/bookmarklets/forms.html to change the form parameters before you submit it.

Re:But Yahoo email login work with FF passwords?

[RonnyJ]

I can login fine to Yahoo already with Opera's built-in password handling, so I can't imagine it's anything that couldn't be solved in Firefox.

Re:But Yahoo email login work with FF passwords?

just get the yahoo mail notifer extension for firefox... if you dont know what i mean just try it out and you wont go back!

Re:But Yahoo email login work with FF passwords?

[denis-The-menace]

I can with Mozilla 1.8x too, but Firefox can't.

I find it ironic...

[Ashrin]

...that the quote-thing in the footer says 'If it ain't broke, don't fix it.'

Still too much spam!

[Kid+Zero]

Geez.... their spam filters are non-existant.

Re:Still too much spam!

[Eternauta3k]

Actually, I found their spam filter the best (but I haven't used that account for a year, so...). Practically none false positives and no spam getting through.
On GMail, I get so much spam I don't check it anymore. Still, it seems as good a filter as yahoo's

Re:Still too much spam!

You have got to be kidding.

I have a yahoo.com account I rarely use, it's known by 7 or 8 people at the most. I don't use that account for mail lists, to sign up for forums, sites, etc. As a matter of fact, I use it mainly to send weekly backups of the sql dump of a small site I run. Every bloody time I log in (probably once every week or so), I have not only the spam folder filled to the brim with messages (400, 500 pieces, no problem), but also some 50 or 60 that seeped through to my inbox. And the username is not even a dictionary or easily guessable word!

Contrast that with my gmail account which I use to sign up for pretty much everything and to post to mail lists (so the email gets harvested by all the spam spiders out there). To top that off, I have that email address visible unobfuscated in plain-text on a handful of websites. I get maybe one or two spams a day on the spam folder, and maybe one every six months gets wrongly delivered to my inbox. And the username is my name, which happens to be a quite common name, so its prone to being targeted by spammers sight unseen.

Maybe google is just using black magic to filter spam, I don't know, but _it works_. Yahoo doesn't, period.

Re:Still too much spam!

[Kid+Zero]

I've got the opposite problem. Yahoo I get so much spam I pretty much don't bother with it. Gmail sticks it all (and I mean ALL) of it in the spam folder. I clear that out when it hits three digits.
Yahoo I've got my blocklists, filters, and everything on, and I still get 50-60 pieces of spam a day in the main folder. Gmail is actually useable. :)

OpenID ?

[johnjones]

could they not just conform to a standard ?

regards

John Jones

Re:OpenID ?

[Frosty+Piss]

could they not just conform to a standard?

They do conform to a standard, just not the standard you're talking about.

Re:OpenID ?

[1310nm]

This is a standard? Says who, the people who are developing it?

Not that I don't like the idea or anything.

Re:OpenID ?

Yes, conforming to some sort of standard is a great idea - that way when it's hacked, exposing our usernames and passwords all over the Net, Yahoo users will be in great company with all the other unwashed masses out there. And, as we all know, Yahoo! doesn't need a market differentiator, does it?

Let Yahoo solve this first...

[bogaboga]

Of late, I have encountered trouble logging into Yahoo Mail. In fact, this has been going on for three months. Before Yahoo begins talking about or even blowing their own trumpet about their "Crown Jewels", they should at least make their [mail] service as reliable as Google's Gmail. For the record, I am not impressed with their new email interface either.

The other thing I'd like to see is full support for Mozilla's Firefox browser as far as Yahoo's Launchcast service is concerned. Don't mention that GreaseMonkey extension. All I want to see is full support. They are doing a fiar job when it comes to video on their news service. But music is still wanting.

Re:Let Yahoo solve this first...

If by "trouble logging in," you mean Firefox crashes after you click the login button, it's related to the Yahoo Firefox plugin. Google some relevant search terms and you'll find a site that tells you the name of the plugin. Remove the plugin and enjoy.

maybe

Maybe they could also allow users to forward emails from their Yahoo accounts for free. This doesn't sound very innovative, but I know a lot of people who have backed away from Yahoo's emailing system because of this.

Web 2.0 Mashups

[Aditi.Tuteja]

This would probably spark a wave of more efficient & integrated Web 2.0 Mashups.

Crown jewels?

[bogaboga]

Come on Yahoo...is that authentication code really a crown jewel? I am no coder but really wonder whether that title fits what the subject is here. What if we find that most if not all of this authentication code was lifted from BSD?

Re:Crown jewels?

[Burz]

They're encouraging developers to think, "Ooh shiny! I want!"

How this is any more special then authenticating over TLS/POP3 is anyone's guess at this point. But I'll speculate that this is a way to entice developers to use Yahoo as a defacto authentication service as MS Passport aimed to be.

Personally, I think users have moved on. Our browsers remember our passwords, and its not hard to synchronize password DBs between browsers if you use more than one.

Think of this Yahoo authentication "openness" as a counterweight to the Google browser-sync tool. I prefer the Google idea, since Google only ever gets my browser data in encrypted form whereas Yahoo-as-authentication-server means that a breakin or abuse of the password DB == users getting screwed.

Re:Crown jewels?

[Schlemphfer]

>Come on Yahoo...is that authentication code really a crown jewel?

The code isn't the crown jewel. What's of enormous value is the database of 250 million established Yahoo ID's.

Suppose I want to open my blog up to comments. These days, I'd be nuts to allow non-account-holders to post, since I would be overwhelmed with comment spam. How many of my users will be willing to register a brand new username and password with my site's custom code? But if you've already got a Yahoo ID, that's all you'll need to go right ahead and post on my blog. See? The barriers to participating on my site have dropped almost to nothing, all because of Yahoo's pre-existing database of 250 million users.

This is a win all the way around. It's a win for Yahoo, since it makes it more valuable for people to own a Yahoo ID. It's a win for me, since I don't need to generate custom code and maintain a database for user passwords. And it's a win for my users, who can now comment on my blog with little or no hassle.

The losers? Sites like typekey.com, who were created to offer the same feature that Yahoo is about to offer, but who don't have the crown jewel of 250 million user accounts.

Re:Crown jewels?

[Psychotria]

I dunno about what you typed. Here in Australia though "crown jewels" means something umm... err.. well I aint giving them away and I'll keep them snug-as-a-bug in my underwear... err, on second thoughts don't read this message

Re:Crown jewels?

[Angostura]

Why am I reminded of Microsoft Passport?

Re:Crown jewels?

[Baricom]

Why am I reminded of Microsoft Passport?

No clue. Free is less than $10,000 per year.

Re:Crown jewels?

Suppose I want to open my blog up to comments. These days, I'd be nuts to allow non-account-holders to post, since I would be overwhelmed with comment spam. How many of my users will be willing to register a brand new username and password with my site's custom code? But if you've already got a Yahoo ID, that's all you'll need to go right ahead and post on my blog. See? The barriers to participating on my site have dropped almost to nothing, all because of Yahoo's pre-existing database of 250 million users.

You're missing a huge flaw in this reasoning: Once the comment spammers realize that 100 million blogs are allowing posts from registered Yahoo users, what do you think they're going to do... Tthey're going to go get a Yahoo account and mass-spam all of you. And if you block that ID, it'll take them all of 60 seconds to go get another Yahoo ID... In then end you're going to have to block all Yahoo IDs to prevent spam, and then you're right back to where you started from.

Re:Crown jewels?

[Tofflos]

I still don't get it. I wouldn't enter my Yahoo credentials on any site but Yahoo. It seems like an excellent way to get your account hijacked.

Re:Crown jewels?

[AnyoneEB]

Uh, use OpenID? Although, it would make sense for Yahoo! to offer OpenID for their users.

Let us hope they consider fixing their security...

... problems with the Yahoo! accounts.

It isn't hard to takeover someone else's account, but if someone out there does so, make sure to get written permission from the person first so you're not committing a crime.

Their forgotten password security system is very lax, and it's fairly easy to gain access to someone's account with a bit of googling. The zip code information, the birthday information, and the secret question information, all can be obtained by someone's personal website usually. Someone will mention where they live, their birthdate, and might have a journal containing their secret question's password.

Yahoo! needs to implement a dual password system, where a master pass can be used to log in and fix one's account if one had it stolen.

jewlery

[macadamia_harold]

Yahoo has announced it will give away the browser-based authentication used in its email service, considered to be the company's 'crown jewels.'

If that's one of their 'crown jewels', would their hosting service be considered the "family jewels"?

Sounds familiar...

[__aaclcg7560]

... there are 'no security risks' since they keep absolute control of usernames and passwords.

That's what my bank, credit card company and local government told me before they had a little "incident" with some script kiddies. Maybe the mattress is still the safest place for your money?

Re:Sounds familiar...

[Quixotic137]

It's no less secure than now, since Yahoo already has the usernames and passwords.

'No security risk'

[SeaFox]

Yahoo notes that there are 'no security risks' since they keep absolute control of usernames and passwords.

Why does the phrase "famous last words" come to me when I hear that. I can almost imagine it being spoken by Hammond in Jurrasic Park when he's talking about how safe the attractions are and that it's impossible for the dinosaurs to breed.

I forsee an explot being developed or maybe someone will just write a new "service" that makes use of Yahoo's systems that also happens to pass the username/pass to a more nafarious author.

Remember, the tool is only as safe as the operator. AOL's search didn't even ask for people to enter their Social Security Numbers.

Re:'No security risk'

[wfberg]

Yahoo notes that there are 'no security risks' since they keep absolute control of usernames and passwords.
[..]
I forsee an explot being developed or maybe someone will just write a new "service" that makes use of Yahoo's systems that also happens to pass the username/pass to a more nafarious author.

No need for exploits, even.

When any random blog starts asking for your yahoo account and password, do you think people will even notice that some of them don't redirect to loginservicethingy.yahoo.com? Most people won't notice, and the web shall be littered with their credentials.

Re:'No security risk'

[jam-pearl]

If you look into the implementation details of Browser-Based Authentication (http://developer.yahoo.com/auth/), it says:

Once the user enters their Yahoo! user ID and password, Yahoo! displays a Terms of Service page and lists the data which your application may access. If the user grants your application access, Yahoo! redirects the user to your site. The redirect URL contains a token that you use to retrieve the user's credentials.

Wonder how this gets implemented for Yahoo Mail. When a user wants to log in to a custom application, will he be redirected to Yahoo Mail main page (by custom application) and then redirected back from Yahoo Mail or does the developer writing this custom application handle the sending of credentials through public API provided.

In either case, redirection or direct handling of credentials, the credentials can be compromised.

Re:'No security risk'

How long until phising sites start using yahoo logins and then managing to crack your logins of hundreds of 3rd party sites.

IMAP

[SanityInAnarchy]

I'm not saying that Yahoo should've provided IMAP/SMTP in the first place, though it would be nice for any email provider to do that. I'm suggesting that someone should write an IMAP/SMTP proxy for Yahoo mail.

I would be interested in using that -- maybe. As it is, I use my own IMAP server anyway. Which is a nice thing when it comes to services that require a unique email address to set up an account -- I have as many email addresses as I want.

Fetchyahoo anyone?

[glomph]

I don't get it. I've been using fetchyahoo for years, and have had to upgrade every few months as Yahoo has f*cked with their system, but it works great. What, exactly, are they 'giving away'?

Re:Fetchyahoo anyone?

[Burz]

The Webmail extension for Thunderbird can access Yahoo Mail and also updates regularly. However its so easy to update extensions that I don't mind.

If you want Yahoo-->IMAP, just setup an IMAP server (or an account with a provider like Fastmail) then setup a TB rule to move the Webmail onto your IMAP server.

It's part of a trend

[joeflies]

Microsoft's tried to own identity by offering 3rd party authentication through Passport, and now shifted towards IDCard/LiveID. Google has already opened up their authentication

Ultimately this comes down to who are users going to flock to as their primary id on the internet - and thus users will use it to log into 3rd party applications which lie outside of microsoft/google/yahoo. The bigger question, though, is how come these companies are going to "own" your id instead of federate it.

BTW, Yahoo has offered authentication services through other apps back in March.

Insanely brilliant

[dedazo]

Think about this - you can now integrate a full-blown email client into your application (CMS, corporate, portals, etc) by simply writing around what will probably be a thin WS/RPC wrapper. Branding can't be far behind, and Yahoo will probably use the insertion of (hopefully) unobtrusive ads to finance it. Higher-level customers can probably do much more, including getting rid of ads. Maybe the service will even work with other domains. Now John Coder can offer a real email client in his app with minimal effort.

It remains to be seen if they can pull this off, but it's nice to see this type of innovation and broad steps coming from somewhere other than Google. I like Google, but they need the competition or they'll start to stagnate. Competition is good!

Sunnydale?!?!?

[Ka+D'Argo]

SUNNYDALE, California (Reuters) - Yahoo Inc. (Nasdaq:YHOO - news) is set to allow....

Yea I mis-read the first line of the article :( Got me all exited and stuff...

"Browser-based authentication" or API?

[netsharc]

2 paragraphs from the article:

Technically speaking, Yahoo is giving away "browser-based authentication" for its e-mail service for developers to build new applications. Currently only Yahoo Mail (http://mail.yahoo.com) and certain broadband partners like AT&T (NYSE:T - news) and BT (BT.L) are granted such access to the code.

This will allow people to make custom versions of the basic interface, or look, of e-mail. Other uses may include tapping the information inside a user's e-mail program to create new ways of displaying the information to individual users.

How the hell will browser-based authentication enable users to do all that? Or are they talking about providing an API for outside users?
The old (non-Ajax, non-beta) Yahoo Mail! had a clever login system. There's Javascript that md5-encodes the password and a session salt string, and sends the username and encoded password to the server. The plain password itself is never sent through the network. I doubt that the crown jewels they're talking about, because even I have manage to implement the function on some web-applications I've developed..

Re:"Browser-based authentication" or API?

[Aditi.Tuteja]

Core thing is, Yahoo! and Google, through its Summer of Code are now wooing developers? Probably for the same reasons that Microsoft and other software companies have been doing to developers for decades: to find prospective employees and build a qualified labor pool. To drive adoption of their platform at companies by influencing their IT staff; to encourage development of third party applications based on their platform and services. Releasing this API is maybe just an Eyewash..

yahoo it/tech dept are hopeless

[cheekyboy]

What happens to IT staff/ techos that make millions themselves through stock options in the late 90s?

You become lazy rich yuppies (see the yahoo ceos daughter on mtv? gawd) and your brain turns into drivel that cannot
innovate.

Go on a 4week engineering brain storm trip, no girls, no CC cards, no email to your wifes.

That will give you 5 years of engineering brillians between 10 smart people.

How hard is it to kill all the bots/fake accounts? how about killing all accounts with a prefix of 5 or more digits or AAAAA prefixes.
Suspend millions of them, and if there is no real person requesting it be turned back on its a bot, no response in 90 days, rm -rf the damn
account.

Or is yahoo claiming 250 million users, yet its only 90million real people and the rest bots?

Couarageous!

[in2mind]

Since Yahoo keeps absolute control of usernames and passwords there are no security risks, Dickerson said.

Man,thats so courageous.Iam surprised how Yahoo is so confident.

(Obligatory)

[stuuf]

The great thing about standards is that there are so many to choose from...

Information Card

[krunk4ever]

Information Cards / Windows CardSpace attempts to fix this problem:
http://msdn.microsoft.com/winfx/reference/infocard /default.aspx

It's the brainchild of Kim Cameron: http://www.identityblog.com/

Unlike Passport, Microsoft does not own your identity when you use Information Cards.

Phishing

[aaronwormus]

Phishing is a BIG problem with Yahoo (and other big websites) plenty of users lose control of their Yahoo! IDs (granted they are not so bright, as seen by the average IQ of people who responded to this post).

I would hate for a phishing attack on Yahoo to make my site vulnerable. And with more and more websites popping up Yahoo! signups, it just makes it easier for someone to spoof the form on their site and gather passwords.

In the Favor of Y! they have taken good steps against phishing attempts, but it still happens a lot.

Re:Phishing

[netsharc]

Invite others to join this site! Enter your (Yahoo|Hotmail) address and password here and we'll invite your friends automatically!

Re:"No Security Risks"?

[l_bratch]

The case with Flickr, and I assume all other third party sites that you can use Yahoo logins with, is that you actually get redirected to a yahoo.com domain to login. Even with this code being available, they can't trick experienced users based on that.

And at the end of the day...

[misterhypno]

... there STILL won't be a voice chat client for the Mac users!

Lee Darrow, C.H.
Chicago, IL

Re:And at the end of the day...

[carlivar]

a voice chat client for the Mac users!

It's coming.

Not email authentication

Email authentication involves signing and checking an email message a-la PGP.

This is 'user authentication' at best but all you're authenticating is that a user has a yahoo account. Unless they offer ID verification, this is pretty useless. Paypal is in a much better position to launch a service like this. ...but hey, what do I know? I'm just a 99 year old Grandmother from Soweto, you can email me at sexbabe4eva@yahoo.com to discuss this further :-/

Great, more ID theft

[192939495969798999]

So now if i login to Yahoo, every jerk with a website can read that cookie and know who i am, right?

Re:Great, more ID theft

[ubernostrum]

So now if i login to Yahoo, every jerk with a website can read that cookie and know who i am, right?

Nope. The press release is really short on details, but the official developer docs spell things out more clearly: the initial authentication takes place on servers Yahoo controls, and the user has to explicitly consent to opening up any information the third-party site wants to access. If they do, Yahoo provides an authentication token that can be used to make calls to Yahoo's various web services on behalf of the user. The token expires after one hour, and must be used in combination with another token, unique to the application, to generate unique, non-replayable hashes on each request.

They've been using a similar system on Flickr for a while; you apply for an application token, and people who use your application have to give explicit permission before it can access any of their photos.

New Yahoo Mail Sucks - What To Do? - OpenSource It

So, you buy a company to get a RIA mail program. You roll out your new e-mail program that looks nice and has lots of features but the performance sucks with all of the JavaScript. Your stuck, people are switching back to the old program or start using GMail instead of Yahoo (I know at least 10 people who have switch back to classic or moved to Google). So how do you salvage this? Make some hoopla around opensourcing. Yeah....

The article and blurb are a little incorrect

[justMichael]

The code will be released late in 2006. Yahoo notes that there are 'no security risks' since they keep absolute control of usernames and passwords.

This was released on Friday, and I spent a couple hours adding it to Feed Harvesst.

It works pretty well, though I'm not all that big a fan of the process of logging in. The process goes like this:

1. Redirect the user to Yahoo!
2. User logs into Yahoo!
3. User has to confim that they are allowing your site access to their data (for Feed Harvest it's only an auth, no access)
4. Yahoo! redirects the user back to you with an optional hash so you can keep track of the users account on your side.

This all seems reasonable, but I think I'd like to see the ability to set a pref so that you don't have to confirm every time. Other than that it does lower the barrier to entry for a site/service.

You have to choose the level of acccess when you register your app. When I registered the choices were (from memory):

• Auth Only
• Read/Write access to Yahoo! Mail
• Read access to Photos
• Read/Write access to photos