Slashdot Mirror
Yahoo Mail Moves From Passwords To Push Notification Sign-Ins (tumblr.com)
An anonymous reader writes: A revamp of Yahoo Mail includes a new feature which eliminates the password from the sign-in process on mobile platforms, instead relying on the user's phone number as a token of authenticity. Notification-based sign-ins are a network-heavy commitment used with less frequency during some online banking authentication procedures, and by Google and others in specific events such as the need for a password reset. But Yahoo is well-motivated to improve security after a 2014 data breach led to a mass-reset of passwords for affected users.
Yahoo Mail has been my throwaway email since about forever, and I have no desire for it to be anything other than that. Yahoo is in such straights now that I would have to read the fine print about what they'll be doing with my cell number and would be very leery about handing it to them. It wouldn't surprise me if this is less a security ploy than a data-mining revenue enhancement ploy.
Left MS Windows for Linux Mint and never looked back!
Vote for Bernie in 2016!
I hope they've taken SIM cloning into account. Myself, I prefer TOTP authentication using software like Google Authenticator or a hardware dongle (downside: finding hardware that supports multiple accounts on multiple services).
It's easier, but not really better.
With two-factor auth, password and push notification/sms/whatever, you still need to know the password. I can keylog your password, but I still need to get access to your phone and the sms content, within the time-frame before the code expires.
Now all you need is access (exploit, backdoor or physical) to the phone/tablet/milk jug.
NO, I do NOT want to receive a fucking text message every time I need to login somewhere.
Fuck you, Yahoo, it's no wonder why you have the craptastic reputation you do.
Just cruising through this digital world at 33 1/3 rpm...
.
What am I missing? This does not sound more secure at all.
Yahoo assumes that your phone is protected. This is going to be a problem between friends and lovers who love to share their stuff but not their social media accounts.
No different than if someone steals your wallet and you have to cancel your credit cards.
I am not going to give Yahoo my cell phone number. Period. My Yahoo account is a throwaway one anyway.
I use Yahoo! as a throw-away, personal email. Went to use their new notification basis. I never received the token as they claimed I would. Did switch to their SMS version for on-demand passwords. That, actually, did work. Perhaps, the other system is working now and was just experiencing high demand/load issues due to all their users giving it a shot. But, after getting locked out three times trying to use this "feature", I don't think I will try it again anytime soon.
Welcome to allowing anyone to make my phone beep a thousand times every minute while I'm at dinner.
What do you think my father is going to do when his phone asks for authorization that he didn't instigate? He's going to call me saying that his e-mail is being hacked. ...and when it happens a dozen times an hour, he's going to accidentally authorize something -- and then have no idea what's happened as a result.
I have a mobile data plan in the USA. How would this work when I go out of the country? Does it work on WiFi?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
So does this mean that all one has to do to obtain all of a corporation's most valued secrets is to steal the CEO's phone?
Ever heard of someone being swatted?
Have gnu, will travel.
Go to mail.yahoo.com and try to sign up for a throwaway email like you used to. It demands a cell number and if you don't hand it over, no "free" email for you!
This cell number requirement applies to Flickr and any other form of yahoo account. This started about 2 years ago.
Yahoo assumes that your phone is protected. This is going to be a problem between friends and lovers who love to share their stuff but not their social media accounts.
Or if your phone is stolen...
The people "running" Yahoo really seem to have no idea what they're doing. I hope that at least they make this an optional service and not a forced change for everyone.
Just cruising through this digital world at 33 1/3 rpm...
In theory it's more secure because, as you say, it'd presumably requiring someone getting your phone. My major problem with it is that there's a lot of better ways to achieve the same result (one time pad plus a password) but then it's susceptible to the same problem as the stolen phone really. But, then, that's really the overreaching problem with the whole thing: if the server holding the verification system is compromised, you inherently have bigger problems to worry about. And if most users are likely to be compromised (either through viruses/malware or through stolen hardware), you have bigger problems.
But, in the end, security is a process. Force changing passwords upon compromise, earlier disclosure of breeches, and generally working with the public to deal with these security breeches as they occur (whether they're on Yahoo's end or user's end) is the way to go. All these push notification/cell-phone-is-your-password don't really fix anything but try to increase the burden upon people who do compromise accounts. Well, that's too little too late unless they're actively seeking out compromised accounts and using them to educate those who were exploited/disabling accounts for those who refuse to follow any good security advice and/or fix the problems that resulted in the exploit being achievable on their end (storing plain text passwords, insufficient software updates on underlying server software, various design flaws in their own software, etc).
But that sort of thing requires man power, a willingness to take short-term PR hits for long-term gains, and to generally treat the problem as something that's not fixable entirely but merely something that needs to be constantly worked on. The real question then is whether a requirement for this push notification as a per-login basis will be enough of an annoyance to outweigh the negative PR of overall education/better security. Honestly, I don't know.
So if someone gets my phone, they can access my Yahoo accounts because all the knowledge needed to access my Yahoo accounts is contained on the phone and/or Yahoo will message it to the phone.
AFAICT, that is the case, but it's actually much worse than you imply. Unless I'm missing something, they don't need access to your phone, but just access to your SMS, which is NOT a secure channel (it's quite obscure to most people, but it's not secure).
On the other hand, and in their defense, all modern smart phones that I've seen only need to be unlocked from the lock screen (if they even have that turned on), and then you can access their email, facebook, etc etc etc without any additional auth. Even after freshly restarting a phone, you can go right into most apps with no additional auth needed.
I suspect there is a little more to it than just an SMS'd code. Perhaps the app also needs access to local account info (IMEI, etc) and compares that to the validity of the SMS'd code? This could help to mitigate attacks on the SMS channel. Still, if they get your phone, you're fucked.
I've had my yahoo email since 1997, back when Yahoo didn't suck. Time to go. I'll now have no reason to visit yahoo ever again.
Please do not read this sig. Thank you.
This is a great scam because ATT is already in bed with Yahoo and uses it for mail to ATT.net subscribers.
Now I see the thought process behind this being such a great idea. It is, for every account that they want to charge text messaging for.
It's just another way they figured out to screw even more out of us.
They had to make a trade-off between security and convenience somewhere. How many times a year do you lose your phone, anyway?
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
So you think faking caller id will let you receive other people's phone calls when someone dials their number?
Good luck with that!
But Yahoo are well-motivated to improve security after a 2014 data breach led to a mass-reset of passwords for affected users
It sounds like they are pushing the burden on their users rather than solving the problem of their own security.
You don't have security code on your phone?
other than serving as "junk addresses", with a name like that. There's a reason people avoid sending professional inquiries as "Hotmail" and "Yahoo".
Seriously, you pay for texting by the message? Is that even legal these days?
Yes. If you're in the United States, and your cellular service costs less than about $500 per year, you probably pay per outgoing message and per incoming message. This is especially common on pay-as-you-go carriers such as Virgin.
You don't need the phone to receive text messages... just the SIM.
If you want a vision of the future, imagine a youtube comments section scrolling - forever.
Sniffing the SMS message from the air is obscure enough to expect it to not happen often, but yanking the SIM card from the smartphone will enable you to receive SMS messages without having to bypass the phone's lockscreen. Almost nobody enables the PIN lock on their SIM cards.
If you want a vision of the future, imagine a youtube comments section scrolling - forever.
Thanks to portability and VoIP, phone numbers don't have to tie into anything at all.
Any number, anywhere on the planet.
Paid for by anything including cash and Bitcoin, even DogeCoin FFS.
Even a Google Voice number bypasses all of your assertions. Free!
I've presently got three phone numbers and three 800 numbers for no other reason than, I can. For $6 per month.
None the less, Yahoo, Google, Microsoft, et al will never have any of them.
When I travel I always get a local SIM so as to avoid the roaming fees. This means a new mobile number. This is okay as I never really use my mobile to make actual phone calls any more, it's all about data for me.
Auth systems that rely on my mobile number being constant and abailsble are thus utterly useless to me.
I used to have a better sig than this, but I got tired of it
I keep several of them around to absorb different kinds of junk mail. One of them's for reading Flickr. Another's the contact account for the Gmail account I use for watching YouTube. Another's one I started giving vendors years ago. Another one's for reading Yahoo groups, which has something vaguely resembling my real name. I've probably forgotten a few others. And no, thanks, none of them need my Real Life Phone Number. If I forget the password for the one I read Flickr with, I can create another.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
How is that different to having your android phone stolen, where you have gmail, facebook etc etc open, logged into etc all the time?
I think the assumption is, if you have access to someone's phone, you have access to they yahoo mail as most smartphone users sync their mail to their phones.
...Yahoo! got rid of the latest changes. The web pages are now taking a long time to load to a point of being functional, typically 5-10 minutes before I can start moving e-mails around for those few that don't get filtered. It's ridiculous.
Oh, yeah - and forget about this password-less crap too. As others have said, it's just going to make the phone the password and result in a lower security barrier.
How is that different to having your android phone stolen, where you have gmail, facebook etc etc open, logged into etc all the time?
I don't use a smart phone and I don't use facebook, gmail, etc etc, so for me it's not a problem.
Everyone else is free to do whatever strikes their fancy.
My point is I don't want a text every time I need to login to something.
Just cruising through this digital world at 33 1/3 rpm...
Thankfully they're not forcing old users to supply phone number... yet, but they do nag.
Waterfox - a Firefox fork with legacy extension support, security updates and better privacy by default.
Stupid idea since not everyone has a cell/land line phone # to use to sign into email. Also its a great gov. info collection tool too.!
That's what SIM PINs are for. If you don't have this turned on you deserve what happens.
Does anyone actually have a reference to an article describing SPECIFICALLY how it works? Yahoo is being REALLY vague in their press releases, presumably to keep the plebs from getting confused or concerned. (All they say is "look, easy and safe".)
Everyone here is assuming they're sending an SMS code, but the descriptions from Yahoo read like this:
> To sign in, you'll just need to tap "Yes" on the notification we send to your phone.
Are they using MMS? (Multi Media Texts?)
Is their App reading your text messages!?!? Effectively using SMS as a side channel?
You know what comes next -- heavy attacks upon PHONE COMPANIES to steal phone numbers. The creaky ancient phone system is going to bust open under this... everyone's personal phone numbers are going to get slammed on a regular basis. Rich, famous, and powerful people especially.
http://ask.ofcom.org.uk/help/t...