Yahoo Mail Moves From Passwords To Push Notification Sign-Ins

An anonymous reader writes: A revamp of Yahoo Mail includes a new feature which eliminates the password from the sign-in process on mobile platforms, instead relying on the user's phone number as a token of authenticity. Notification-based sign-ins are a network-heavy commitment used with less frequency during some online banking authentication procedures, and by Google and others in specific events such as the need for a password reset. But Yahoo is well-motivated to improve security after a 2014 data breach led to a mass-reset of passwords for affected users.

Selling Cell Numbers to Advertisers?

[Irate+Engineer]

Yahoo Mail has been my throwaway email since about forever, and I have no desire for it to be anything other than that. Yahoo is in such straights now that I would have to read the fine print about what they'll be doing with my cell number and would be very leery about handing it to them. It wouldn't surprise me if this is less a security ploy than a data-mining revenue enhancement ploy.

Re:Selling Cell Numbers to Advertisers?

[JustAnotherOldGuy]

I would have to read the fine print about what they'll be doing with my cell number and would be very leery about handing it to them.

Same here, with the added caveat that "terms and conditions are subject to change". In other words, once they have it they can basically do whatever they want with it and good luck trying to stop them.

"Sorry, didn't you read out new TOS? It explicitly states that we can now sell your phone number to the Mobile Marketing Ad Group in India and Bahrain and Brazil and Mexico and Russia and anywhere else we fucking feel like it."

Re:Selling Cell Numbers to Advertisers?

They are most likely trying to save on support costs from users who forget their passwords or who used weak passwords and had their accounts hijacked.

Moving security into "something that you have" rather than "something that you know" involves different tradeoffs and is still weak compared to two factor, but, honestly, given most users it probably increases security. If they're using SMS, it leaves people wide open to sophisticated attackers, though.

Re:Selling Cell Numbers to Advertisers?

[Mashiki]

That'll work out really well, especially for those on prepay plans where you get charged $0.25 text message. Well if yahoo wants to commit sudoku they're doing a fine job.

Re: Selling Cell Numbers to Advertisers?

[MenThal]

Well they'll need to juggle a lot of numbers...

Re:Selling Cell Numbers to Advertisers?

[SeaFox]

Yahoo Mail has been my throwaway email since about forever, and I have no desire for it to be anything other than that.

That's probably half their thinking here -- find a way to get rid of the users who are just using them for a spam account so they have more network resources for the "real" users with email coming in that's worth data-mining.

Re:Selling Cell Numbers to Advertisers?

[ColdWetDog]

And although Japanese isn't my strong suit - I think you mean seppuku rather than soduki (the puzzle game).

Re:Selling Cell Numbers to Advertisers?

[fahrbot-bot]

And although Japanese isn't my strong suit - I think you mean seppuku rather than soduki (the puzzle game).

It's a fairly common Internet meme/joke. Like, "So I did a 360 and walked away."

Re:Selling Cell Numbers to Advertisers?

[CrimsonAvenger]

Yahoo is in such straights

Straits. The ephemism refers to narrow, hard to navigate passages of water, not to uncurved lines...

Re:Selling Cell Numbers to Advertisers?

[Gavagai80]

Us less-communicative, non-rich people pay per text on pay as you go plans to save money. At 10 cents a text/minute, my bill works out to $5-$10 per month.

Re:Selling Cell Numbers to Advertisers?

[Mashiki]

Seriously, you pay for texting by the message? Is that even legal these days?

It is in Canada and the US. If you're not blowing $30+mo on your cell you're paying for incoming and outgoing text messages, unless the company you're with gives incoming texts for free.

And no, commit sudoku.

Re:Selling Cell Numbers to Advertisers?

[Irate+Engineer]

Well if yahoo wants to commit sudoku they're doing a fine job.

This needs to be put into the Slashdot random comments.

Re:Selling Cell Numbers to Advertisers?

[unixisc]

I have a really old Yahoo! mail account, and it just never stops receiving spam. Your usage of it is correct.

Re:Selling Cell Numbers to Advertisers?

[Mashiki]

Commit sudoku.

Re:Selling Cell Numbers to Advertisers?

[Reziac]

Same here.

And what happens when your phone is lost or stolen??

SIM cloning

[Todd+Knarr]

I hope they've taken SIM cloning into account. Myself, I prefer TOTP authentication using software like Google Authenticator or a hardware dongle (downside: finding hardware that supports multiple accounts on multiple services).

Re:SIM cloning

[KermodeBear]

And, silly though it may sound, simply changing your phone number. A lot of people will think that this is great, and they'll use it, but then they'll want to change their phone number for one reason or another and then... Whooops.

Re:SIM cloning

[ShanghaiBill]

then they'll want to change their phone number for one reason or another and then... Whooops.

You can switch to a new phone number by answering the security questions.

Re:SIM cloning

[SeaFox]

You can switch to a new phone number by answering the security questions.

You'd be surprised how many people can't answer the security questions they set up themselves.

Re:SIM cloning

[fahrbot-bot]

You can switch to a new phone number by answering the security questions.

You'd be surprised how many people can't answer the security questions they set up themselves.

Not me! My security question is: "What is your security question?"

I'm not sure

It's easier, but not really better.

With two-factor auth, password and push notification/sms/whatever, you still need to know the password. I can keylog your password, but I still need to get access to your phone and the sms content, within the time-frame before the code expires.

Now all you need is access (exploit, backdoor or physical) to the phone/tablet/milk jug.

No, No No No

[JustAnotherOldGuy]

NO, I do NOT want to receive a fucking text message every time I need to login somewhere.

Fuck you, Yahoo, it's no wonder why you have the craptastic reputation you do.

Re: No, No No No

Think of all the benefits.

1) Your phone number indicates your country unambiguously, so they can separate that legally pesky US data from free-for-the-hoovering foreign intel.

2) Your phone number ties into credit identities somewhere along the line, unless you paid cash for a burner. But most targets won't have that kind of foresight. This makes your PRISM strong-selector even stronger (and Yahoo is a partner in the PRISM consortium, so you get all the advantages that cooperation offers)!

3) You won't want to jump through the login hoops often, so you'll stay logged in to Yahoo in your browser and won't clear your cookies, supercookies, etc. That makes it easier for Yahoo to track your progress through the web via tracking beacons.

Re:No, No No No

Am I the only one that read the article instead of jumping to outrageous assumptions? Nowhere does it say it's forcing you to use this, and why would it send a text? It says PUSH notifications, which would be through the Yahoo app.

So essentially the phone is my security credential

[QuietLagoon]

So if someone gets my phone, they can access my Yahoo accounts because all the knowledge needed to access my Yahoo accounts is contained on the phone and/or Yahoo will message it to the phone.

.
What am I missing? This does not sound more secure at all.

Re:So essentially the phone is my security credent

[Crowd+Computing]

Yahoo assumes that your phone is protected. This is going to be a problem between friends and lovers who love to share their stuff but not their social media accounts.

It wasn't working

[Ronin+Developer]

I use Yahoo! as a throw-away, personal email. Went to use their new notification basis. I never received the token as they claimed I would. Did switch to their SMS version for on-demand passwords. That, actually, did work. Perhaps, the other system is working now and was just experiencing high demand/load issues due to all their users giving it a shot. But, after getting locked out three times trying to use this "feature", I don't think I will try it again anytime soon.

Ready for the spam?

[holophrastic]

Welcome to allowing anyone to make my phone beep a thousand times every minute while I'm at dinner.

What do you think my father is going to do when his phone asks for authorization that he didn't instigate? He's going to call me saying that his e-mail is being hacked. ...and when it happens a dozen times an hour, he's going to accidentally authorize something -- and then have no idea what's happened as a result.

Well, what happens when I go to India?

[140Mandak262Jamuna]

I have a mobile data plan in the USA. How would this work when I go out of the country? Does it work on WiFi?

So Does This Mean

[turkeyfish]

So does this mean that all one has to do to obtain all of a corporation's most valued secrets is to steal the CEO's phone?

Because ....

[PPH]

... phone numbers are secure and can't be cloned. Yeah, right.

Ever heard of someone being swatted?

Yahoo Mail has required a cell number since 2013

Go to mail.yahoo.com and try to sign up for a throwaway email like you used to. It demands a cell number and if you don't hand it over, no "free" email for you!

This cell number requirement applies to Flickr and any other form of yahoo account. This started about 2 years ago.

Re:So essentially the phone is my security credent

[JustAnotherOldGuy]

Yahoo assumes that your phone is protected. This is going to be a problem between friends and lovers who love to share their stuff but not their social media accounts.

Or if your phone is stolen...

The people "running" Yahoo really seem to have no idea what they're doing. I hope that at least they make this an optional service and not a forced change for everyone.

Re:So essentially the phone is my security credent

[unrtst]

So if someone gets my phone, they can access my Yahoo accounts because all the knowledge needed to access my Yahoo accounts is contained on the phone and/or Yahoo will message it to the phone.

AFAICT, that is the case, but it's actually much worse than you imply. Unless I'm missing something, they don't need access to your phone, but just access to your SMS, which is NOT a secure channel (it's quite obscure to most people, but it's not secure).

On the other hand, and in their defense, all modern smart phones that I've seen only need to be unlocked from the lock screen (if they even have that turned on), and then you can access their email, facebook, etc etc etc without any additional auth. Even after freshly restarting a phone, you can go right into most apps with no additional auth needed.

I suspect there is a little more to it than just an SMS'd code. Perhaps the app also needs access to local account info (IMEI, etc) and compares that to the validity of the SMS'd code? This could help to mitigate attacks on the SMS channel. Still, if they get your phone, you're fucked.

Well, I now have an excuse to change email.

[gestalt_n_pepper]

I've had my yahoo email since 1997, back when Yahoo didn't suck. Time to go. I'll now have no reason to visit yahoo ever again.

Re:Well, I now have an excuse to change email.

[SeaFox]

You haven't had a reason to visit Yahoo for awhile if you can set up an IMAP client.

Re:So essentially the phone is my security credent

[DNS-and-BIND]

They had to make a trade-off between security and convenience somewhere. How many times a year do you lose your phone, anyway?

Re:Yeah because faking caller id is the same

[PPH]

The phone phreaks have figured out lots of tricks with call forwarding, etc. And home brewed versions of Stingray/IMSI catchers that can do MITM attacks. The phone systems are pretty insecure (probably by design. Thank your local Five Eyes TLA organization).

Re:The "If Someones Get My Phone" Part

[QuietLagoon]

No different than if someone steals your wallet and you have to cancel your credit cards.

My credit card requires a PIN. So it is different.

Improving security?

[thegarbz]

But Yahoo are well-motivated to improve security after a 2014 data breach led to a mass-reset of passwords for affected users

It sounds like they are pushing the burden on their users rather than solving the problem of their own security.

US prepaid users pay to receive SMS

[tepples]

Seriously, you pay for texting by the message? Is that even legal these days?

Yes. If you're in the United States, and your cellular service costs less than about $500 per year, you probably pay per outgoing message and per incoming message. This is especially common on pay-as-you-go carriers such as Virgin.

Re:So essentially the phone is my security credent

[chihowa]

You don't need the phone to receive text messages... just the SIM.

Re:So essentially the phone is my security credent

[chihowa]

Sniffing the SMS message from the air is obscure enough to expect it to not happen often, but yanking the SIM card from the smartphone will enable you to receive SMS messages without having to bypass the phone's lockscreen. Almost nobody enables the PIN lock on their SIM cards.

Re:The "If Someones Get My Phone" Part

[QuietLagoon]

That's called a "debit card".

No, it is a credit card with a PIN. I still have all the protections that a credit card provides.

.
A PIN is optional on credit cards with the 'chip', however, some credit card providers are requiring the PIN. Most, if not all, of the credit card companies will be requiring the PIN sooner than later.

Thus making it impossible to check email when abro

[davesag]

When I travel I always get a local SIM so as to avoid the roaming fees. This means a new mobile number. This is okay as I never really use my mobile to make actual phone calls any more, it's all about data for me.

Auth systems that rely on my mobile number being constant and abailsble are thus utterly useless to me.

Doesn't everybody have multiple Yahoo! accounts?

[billstewart]

I keep several of them around to absorb different kinds of junk mail. One of them's for reading Flickr. Another's the contact account for the Gmail account I use for watching YouTube. Another's one I started giving vendors years ago. Another one's for reading Yahoo groups, which has something vaguely resembling my real name. I've probably forgotten a few others. And no, thanks, none of them need my Real Life Phone Number. If I forget the password for the one I read Flickr with, I can create another.

Re:So essentially the phone is my security credent

[Threni]

How is that different to having your android phone stolen, where you have gmail, facebook etc etc open, logged into etc all the time?

Re:So essentially the phone is my security credent

[misnohmer]

I think the assumption is, if you have access to someone's phone, you have access to they yahoo mail as most smartphone users sync their mail to their phones.

Re:So essentially the phone is my security credent

[JustAnotherOldGuy]

How is that different to having your android phone stolen, where you have gmail, facebook etc etc open, logged into etc all the time?

I don't use a smart phone and I don't use facebook, gmail, etc etc, so for me it's not a problem.

Everyone else is free to do whatever strikes their fancy.

My point is I don't want a text every time I need to login to something.

Re:Yahoo Mail has required a cell number since 201

[MrL0G1C]

Thankfully they're not forcing old users to supply phone number... yet, but they do nag.

How specifically does it work?

[ckedge]

Does anyone actually have a reference to an article describing SPECIFICALLY how it works? Yahoo is being REALLY vague in their press releases, presumably to keep the plebs from getting confused or concerned. (All they say is "look, easy and safe".)

Everyone here is assuming they're sending an SMS code, but the descriptions from Yahoo read like this:

> To sign in, you'll just need to tap "Yes" on the notification we send to your phone.

Are they using MMS? (Multi Media Texts?)

Is their App reading your text messages!?!? Effectively using SMS as a side channel?

You know what comes next -- heavy attacks upon PHONE COMPANIES to steal phone numbers. The creaky ancient phone system is going to bust open under this... everyone's personal phone numbers are going to get slammed on a regular basis. Rich, famous, and powerful people especially.

http://ask.ofcom.org.uk/help/t...

Re:How specifically does it work?

[ckedge]

( self reply because this is slashdot without edit ability )

Oh ffs, this has nothing to do with signing into Yahoo ON your mobile phone.

> After set-up is complete, users will only have to type in their Yahoo Mail addresses when logging in from a new browser or device to prompt the Account Key log-in process. Yahoo will send a push notification to their smartphone where they can simply hit âoeyesâ to allow the new login. If users tap the notification theyâ(TM)ll be taken to a screen with more detail, such as what type of device is trying to log in and where in the world they are signing in from.

This is about using your phone and it's APP (or even an alternative e-mail address elsewhere) as a final "yes log me in on the device X in the world that just asked to log me in".

This is two factor without the second factor. Instead of sending a code to your phone, they simply send a hyperlink to your phone or alternate e-mail address asking you to confirm a login from elsewhere.

Notice the "second e-mail address" thingie. Yup, if plebs turn that on, e-mail addresses are chained together and someone stealing your gmail account will now have access to your yahoo account.

Hmmm, this is a neat idea, sure is a good idea for grandmas and the like. If it wasn't for the fact that people loose their phones all the time. And having users chain together mail accounts to allow them to recover their account when they loose their phone... eh, sounds dicey...

Re:How specifically does it work?

[ckedge]

Correction - this is one factor with the one factor being possession of a separate physical device.