Yahoo To Open Up Email Authentication

Aditi.Tuteja writes, "Yahoo has announced it will give away the browser-based authentication used in its email service, considered to be the company's 'crown jewels.' Yahoo made the announcement ahead of a 24-hour 'Yahoo Hack Day,' where it had invited more than 500 mostly youthful outside programmers to build new applications using Yahoo services. Considering the different needs of its huge user base (257 million people use Yahoo Mail), Yahoo has decided it can't build or buy enough innovation, so they are enlisting the worldwide developer community." The code will be released late in 2006. Yahoo notes that there are 'no security risks' since they keep absolute control of usernames and passwords.

Good for Yahoo

[lewp]

In their struggle to maintain relevance in the face of Google, Yahoo has really done a complete 180 from the days when their main service was a manually-reviewed index of websites. They've had the good sense to keep their noses out of (e.g. Flickr), and they've made some cool products/technologies available to the developer community for free.

Google gets all the press nowadays, but Yahoo's been pretty cool lately as well. Props!

257m users.

How many of those 257 million users are spambots?

Re:257m users.

[rvw]

So Consider I'm only 1 person with at least 5 accounts... and that's probably not entirely unusual. I'd figure 257m translates to 3-4m unique people.

Yeah right! Everybody has as least 50 accounts. And some people even have more than 100 to compensate for that one stupid user who has only one. You probably graduated in math?

It seems to me like...

[RuBLed]

...social websites allowing their users to customize the css templates of their profile pages. There would surely be a few good innovations but like 70% of my friends "customized profile pages", most would visually painful enough that.. arrghhh..!! *head explodes*

But Yahoo email login work with FF passwords?

[denis-The-menace]

Does this mean that I'll be finally able to login into Yahoo email with the built-in password handling in Firefox?

If so, I'll believe it when I see it.

Re:But Yahoo email login work with FF passwords?

[closetphilosopher]

I don't know about Yahoo, but for other websites that prevent password saving, use the bookmarklet at http://www.squarefree.com/bookmarklets/forms.html to change the form parameters before you submit it.

Still too much spam!

[Kid+Zero]

Geez.... their spam filters are non-existant.

OpenID ?

[johnjones]

could they not just conform to a standard ?

regards

John Jones

Re:OpenID ?

[Frosty+Piss]

could they not just conform to a standard?

They do conform to a standard, just not the standard you're talking about.

Crown jewels?

[bogaboga]

Come on Yahoo...is that authentication code really a crown jewel? I am no coder but really wonder whether that title fits what the subject is here. What if we find that most if not all of this authentication code was lifted from BSD?

Re:Crown jewels?

[Schlemphfer]

>Come on Yahoo...is that authentication code really a crown jewel?

The code isn't the crown jewel. What's of enormous value is the database of 250 million established Yahoo ID's.

Suppose I want to open my blog up to comments. These days, I'd be nuts to allow non-account-holders to post, since I would be overwhelmed with comment spam. How many of my users will be willing to register a brand new username and password with my site's custom code? But if you've already got a Yahoo ID, that's all you'll need to go right ahead and post on my blog. See? The barriers to participating on my site have dropped almost to nothing, all because of Yahoo's pre-existing database of 250 million users.

This is a win all the way around. It's a win for Yahoo, since it makes it more valuable for people to own a Yahoo ID. It's a win for me, since I don't need to generate custom code and maintain a database for user passwords. And it's a win for my users, who can now comment on my blog with little or no hassle.

The losers? Sites like typekey.com, who were created to offer the same feature that Yahoo is about to offer, but who don't have the crown jewel of 250 million user accounts.

Re:Crown jewels?

[Psychotria]

I dunno about what you typed. Here in Australia though "crown jewels" means something umm... err.. well I aint giving them away and I'll keep them snug-as-a-bug in my underwear... err, on second thoughts don't read this message

jewlery

[macadamia_harold]

Yahoo has announced it will give away the browser-based authentication used in its email service, considered to be the company's 'crown jewels.'

If that's one of their 'crown jewels', would their hosting service be considered the "family jewels"?

'No security risk'

[SeaFox]

Yahoo notes that there are 'no security risks' since they keep absolute control of usernames and passwords.

Why does the phrase "famous last words" come to me when I hear that. I can almost imagine it being spoken by Hammond in Jurrasic Park when he's talking about how safe the attractions are and that it's impossible for the dinosaurs to breed.

I forsee an explot being developed or maybe someone will just write a new "service" that makes use of Yahoo's systems that also happens to pass the username/pass to a more nafarious author.

Remember, the tool is only as safe as the operator. AOL's search didn't even ask for people to enter their Social Security Numbers.

Re:Yahoo for yahoo.

Hiring the world to do thier work. BRILLIANT!

I really wish people wouldn't do this crap. It's not Mom and Pop's Search Engine Co. It's frigging Yahoo. If you want programmers, pay some damn programmers.

DARPA Grand Challenge, sure. Nobody's getting your crap for free when you're done. GPL, sure. They only get it if they give back. But stupid competitions like this just feed cash into the already-cash-filled pockets of corporations. Not that corporations making money is a bad thing, but we don't need to hand them more for driving down programmer wages.

It's part of a trend

[joeflies]

Microsoft's tried to own identity by offering 3rd party authentication through Passport, and now shifted towards IDCard/LiveID. Google has already opened up their authentication

Ultimately this comes down to who are users going to flock to as their primary id on the internet - and thus users will use it to log into 3rd party applications which lie outside of microsoft/google/yahoo. The bigger question, though, is how come these companies are going to "own" your id instead of federate it.

BTW, Yahoo has offered authentication services through other apps back in March.

Insanely brilliant

[dedazo]

Think about this - you can now integrate a full-blown email client into your application (CMS, corporate, portals, etc) by simply writing around what will probably be a thin WS/RPC wrapper. Branding can't be far behind, and Yahoo will probably use the insertion of (hopefully) unobtrusive ads to finance it. Higher-level customers can probably do much more, including getting rid of ads. Maybe the service will even work with other domains. Now John Coder can offer a real email client in his app with minimal effort.

It remains to be seen if they can pull this off, but it's nice to see this type of innovation and broad steps coming from somewhere other than Google. I like Google, but they need the competition or they'll start to stagnate. Competition is good!

Re:Fetchyahoo anyone?

[Burz]

The Webmail extension for Thunderbird can access Yahoo Mail and also updates regularly. However its so easy to update extensions that I don't mind.

If you want Yahoo-->IMAP, just setup an IMAP server (or an account with a provider like Fastmail) then setup a TB rule to move the Webmail onto your IMAP server.

yahoo it/tech dept are hopeless

[cheekyboy]

What happens to IT staff/ techos that make millions themselves through stock options in the late 90s?

You become lazy rich yuppies (see the yahoo ceos daughter on mtv? gawd) and your brain turns into drivel that cannot
innovate.

Go on a 4week engineering brain storm trip, no girls, no CC cards, no email to your wifes.

That will give you 5 years of engineering brillians between 10 smart people.

How hard is it to kill all the bots/fake accounts? how about killing all accounts with a prefix of 5 or more digits or AAAAA prefixes.
Suspend millions of them, and if there is no real person requesting it be turned back on its a bot, no response in 90 days, rm -rf the damn
account.

Or is yahoo claiming 250 million users, yet its only 90million real people and the rest bots?

(Obligatory)

[stuuf]

The great thing about standards is that there are so many to choose from...

Phishing

[aaronwormus]

Phishing is a BIG problem with Yahoo (and other big websites) plenty of users lose control of their Yahoo! IDs (granted they are not so bright, as seen by the average IQ of people who responded to this post).

I would hate for a phishing attack on Yahoo to make my site vulnerable. And with more and more websites popping up Yahoo! signups, it just makes it easier for someone to spoof the form on their site and gather passwords.

In the Favor of Y! they have taken good steps against phishing attempts, but it still happens a lot.

Great, more ID theft

[192939495969798999]

So now if i login to Yahoo, every jerk with a website can read that cookie and know who i am, right?

Re:Great, more ID theft

[ubernostrum]

So now if i login to Yahoo, every jerk with a website can read that cookie and know who i am, right?

Nope. The press release is really short on details, but the official developer docs spell things out more clearly: the initial authentication takes place on servers Yahoo controls, and the user has to explicitly consent to opening up any information the third-party site wants to access. If they do, Yahoo provides an authentication token that can be used to make calls to Yahoo's various web services on behalf of the user. The token expires after one hour, and must be used in combination with another token, unique to the application, to generate unique, non-replayable hashes on each request.

They've been using a similar system on Flickr for a while; you apply for an application token, and people who use your application have to give explicit permission before it can access any of their photos.

The article and blurb are a little incorrect

[justMichael]

The code will be released late in 2006. Yahoo notes that there are 'no security risks' since they keep absolute control of usernames and passwords.

This was released on Friday, and I spent a couple hours adding it to Feed Harvesst.

It works pretty well, though I'm not all that big a fan of the process of logging in. The process goes like this:

1. Redirect the user to Yahoo!
2. User logs into Yahoo!
3. User has to confim that they are allowing your site access to their data (for Feed Harvest it's only an auth, no access)
4. Yahoo! redirects the user back to you with an optional hash so you can keep track of the users account on your side.

This all seems reasonable, but I think I'd like to see the ability to set a pref so that you don't have to confirm every time. Other than that it does lower the barrier to entry for a site/service.

You have to choose the level of acccess when you register your app. When I registered the choices were (from memory):

• Auth Only
• Read/Write access to Yahoo! Mail
• Read access to Photos
• Read/Write access to photos