Slashdot Mirror
Yahoo Debuts End-To-End Encryption Email Plugin, Password-Free Logins
An anonymous reader writes: Yahoo has released the source code for a plugin that will enable end-to-end encryption for their email service. They're soliciting feedback from the security community to make sure it's built properly. They plan to roll it out to users by the end of the year.
Yahoo also demonstrated a new authentication system that doesn't use permanent passwords. Instead, they allow you to associate your Yahoo account with your phone, and text you a code on demand any time you need to log in. It's basically just the second step of traditional two-step authentication by itself. But Yahoo says they think it's "the first step to eliminating passwords."
Yahoo also demonstrated a new authentication system that doesn't use permanent passwords. Instead, they allow you to associate your Yahoo account with your phone, and text you a code on demand any time you need to log in. It's basically just the second step of traditional two-step authentication by itself. But Yahoo says they think it's "the first step to eliminating passwords."
I don't. I tried to sign up with Yahoo a few weeks ago and got cockblocked by this. They required a mobile number.
I'm sure Yahoo understands this. But who wants to go through the hassle of two factors of authentication (including using a unique and difficult password) every time they want to read an e-mail ?
What they trying to do is find a way to provide good enough security that people will actually use.
Wouldn't this ideally be presented as a choice to users?
Except for option 2, Yahoo offers those choices.
In a standard smtp environment nothing can protect the email meta-data.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
The real problem is that people are using web browsers to read their e-mail instead of a proper e-mail client that already supports the existing standards of pgp and s/mime This yahoo plugin is actually based on google's code for an end to end plugin. It implents pgp.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJVBtrWAAoJEGgrLreJLenh890IAJMHRwdi6vN1wSFhJnDNHqIX
GTuTGo7BEFp0+4Qo9mTiYtbF8HhJy1NAClXUKQ+fsHF6NwfvqEq2Fe7909oXPSNk
DewmEMc8xHlKxp9xaz6kVNg8t3DoieJCc4JoSmkpXRPtsC/0k8bdrAaH/7dhk1ex
mKU8QLjz60a9cOSU3BoBg9bG2GJacI+1fv6JxNUuV8LaxCwwIBSP/a3TYRRBnZX9
+AW66Oljq/gf7UH+4NxuKxrZ2K2MRYDVi9N57skb8V9MfiK9livZCPNxPvGePpIk
CmCJXa9pHY9+fkIwJeHCbIEPumC5wMcUJcnvOupRbodEFI10oad0Hs0ZJXVwZec=
=xOyc
-----END PGP SIGNATURE-----
Also, don't lose your phone where evil people might find it.
Forgive me if I've got the following arithmetic wrong, but if they remove one factor from two-factor authentication, doesn't that make it one-factor authentication?
I don't see eliminating passwords as an important goal. Instead, the goal should be to increase security. To that end, I've recently begun to use two-factor authentication on all my important accounts. However, I'm finding that each service implements it differently, so it's a bit annoying to have to remember how to deal with each one. Also, I use one service that requires a hardware token which they mail to you, and that makes it more difficult to get the whole thing set up, compared to the more common case where you just give them your phone number and then two-factor authentication begins to work nearly instantly. So, it would be nice if we had some industry standards on all that.
Since some services make two-factor authentication somewhat difficult to set up, I get the impression that they find that the increased support costs for it to not be worth it, at least from the service's point of view. Of course, from the customer point of view, if it prevents a security breach to an important account, it's well worth the extra trouble.