Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yahoo To Open Up Email Authentication

Posted by ryuzaki0 on from the let-a-thousand-mashups-bloom dept.

Aditi.Tuteja writes, "Yahoo has announced it will give away the browser-based authentication used in its email service, considered to be the company's 'crown jewels.' Yahoo made the announcement ahead of a 24-hour 'Yahoo Hack Day,' where it had invited more than 500 mostly youthful outside programmers to build new applications using Yahoo services. Considering the different needs of its huge user base (257 million people use Yahoo Mail), Yahoo has decided it can't build or buy enough innovation, so they are enlisting the worldwide developer community." The code will be released late in 2006. Yahoo notes that there are 'no security risks' since they keep absolute control of usernames and passwords.

4 of 75 comments (clear)

  1. Re:But Yahoo email login work with FF passwords? by closetphilosopher · · Score: 5, Informative

    I don't know about Yahoo, but for other websites that prevent password saving, use the bookmarklet at http://www.squarefree.com/bookmarklets/forms.html to change the form parameters before you submit it.

  2. Re:Fetchyahoo anyone? by Burz · · Score: 2, Informative

    The Webmail extension for Thunderbird can access Yahoo Mail and also updates regularly. However its so easy to update extensions that I don't mind.

    If you want Yahoo-->IMAP, just setup an IMAP server (or an account with a provider like Fastmail) then setup a TB rule to move the Webmail onto your IMAP server.

  3. The article and blurb are a little incorrect by justMichael · · Score: 2, Informative
    The code will be released late in 2006. Yahoo notes that there are 'no security risks' since they keep absolute control of usernames and passwords.
    This was released on Friday, and I spent a couple hours adding it to Feed Harvesst.

    It works pretty well, though I'm not all that big a fan of the process of logging in. The process goes like this:
    1. Redirect the user to Yahoo!
    2. User logs into Yahoo!
    3. User has to confim that they are allowing your site access to their data (for Feed Harvest it's only an auth, no access)
    4. Yahoo! redirects the user back to you with an optional hash so you can keep track of the users account on your side.

    This all seems reasonable, but I think I'd like to see the ability to set a pref so that you don't have to confirm every time. Other than that it does lower the barrier to entry for a site/service.

    You have to choose the level of acccess when you register your app. When I registered the choices were (from memory):
    • Auth Only
    • Read/Write access to Yahoo! Mail
    • Read access to Photos
    • Read/Write access to photos
  4. Re:Great, more ID theft by ubernostrum · · Score: 2, Informative

    So now if i login to Yahoo, every jerk with a website can read that cookie and know who i am, right?

    Nope. The press release is really short on details, but the official developer docs spell things out more clearly: the initial authentication takes place on servers Yahoo controls, and the user has to explicitly consent to opening up any information the third-party site wants to access. If they do, Yahoo provides an authentication token that can be used to make calls to Yahoo's various web services on behalf of the user. The token expires after one hour, and must be used in combination with another token, unique to the application, to generate unique, non-replayable hashes on each request.

    They've been using a similar system on Flickr for a while; you apply for an application token, and people who use your application have to give explicit permission before it can access any of their photos.