Yahoo Mail Moves From Passwords To Push Notification Sign-Ins

An anonymous reader writes: A revamp of Yahoo Mail includes a new feature which eliminates the password from the sign-in process on mobile platforms, instead relying on the user's phone number as a token of authenticity. Notification-based sign-ins are a network-heavy commitment used with less frequency during some online banking authentication procedures, and by Google and others in specific events such as the need for a password reset. But Yahoo is well-motivated to improve security after a 2014 data breach led to a mass-reset of passwords for affected users.

Selling Cell Numbers to Advertisers?

[Irate+Engineer]

Yahoo Mail has been my throwaway email since about forever, and I have no desire for it to be anything other than that. Yahoo is in such straights now that I would have to read the fine print about what they'll be doing with my cell number and would be very leery about handing it to them. It wouldn't surprise me if this is less a security ploy than a data-mining revenue enhancement ploy.

Re:Selling Cell Numbers to Advertisers?

[JustAnotherOldGuy]

I would have to read the fine print about what they'll be doing with my cell number and would be very leery about handing it to them.

Same here, with the added caveat that "terms and conditions are subject to change". In other words, once they have it they can basically do whatever they want with it and good luck trying to stop them.

"Sorry, didn't you read out new TOS? It explicitly states that we can now sell your phone number to the Mobile Marketing Ad Group in India and Bahrain and Brazil and Mexico and Russia and anywhere else we fucking feel like it."

Re: Selling Cell Numbers to Advertisers?

[MenThal]

Well they'll need to juggle a lot of numbers...

Re:Selling Cell Numbers to Advertisers?

[Gavagai80]

Us less-communicative, non-rich people pay per text on pay as you go plans to save money. At 10 cents a text/minute, my bill works out to $5-$10 per month.

So essentially the phone is my security credential

[QuietLagoon]

So if someone gets my phone, they can access my Yahoo accounts because all the knowledge needed to access my Yahoo accounts is contained on the phone and/or Yahoo will message it to the phone.

.
What am I missing? This does not sound more secure at all.

It wasn't working

[Ronin+Developer]

I use Yahoo! as a throw-away, personal email. Went to use their new notification basis. I never received the token as they claimed I would. Did switch to their SMS version for on-demand passwords. That, actually, did work. Perhaps, the other system is working now and was just experiencing high demand/load issues due to all their users giving it a shot. But, after getting locked out three times trying to use this "feature", I don't think I will try it again anytime soon.

Ready for the spam?

[holophrastic]

Welcome to allowing anyone to make my phone beep a thousand times every minute while I'm at dinner.

What do you think my father is going to do when his phone asks for authorization that he didn't instigate? He's going to call me saying that his e-mail is being hacked. ...and when it happens a dozen times an hour, he's going to accidentally authorize something -- and then have no idea what's happened as a result.

Well, what happens when I go to India?

[140Mandak262Jamuna]

I have a mobile data plan in the USA. How would this work when I go out of the country? Does it work on WiFi?

Re:Yeah because faking caller id is the same

[PPH]

The phone phreaks have figured out lots of tricks with call forwarding, etc. And home brewed versions of Stingray/IMSI catchers that can do MITM attacks. The phone systems are pretty insecure (probably by design. Thank your local Five Eyes TLA organization).

Re:SIM cloning

[fahrbot-bot]

You can switch to a new phone number by answering the security questions.

You'd be surprised how many people can't answer the security questions they set up themselves.

Not me! My security question is: "What is your security question?"

Re: No, No No No

Think of all the benefits.

1) Your phone number indicates your country unambiguously, so they can separate that legally pesky US data from free-for-the-hoovering foreign intel.

2) Your phone number ties into credit identities somewhere along the line, unless you paid cash for a burner. But most targets won't have that kind of foresight. This makes your PRISM strong-selector even stronger (and Yahoo is a partner in the PRISM consortium, so you get all the advantages that cooperation offers)!

3) You won't want to jump through the login hoops often, so you'll stay logged in to Yahoo in your browser and won't clear your cookies, supercookies, etc. That makes it easier for Yahoo to track your progress through the web via tracking beacons.

US prepaid users pay to receive SMS

[tepples]

Seriously, you pay for texting by the message? Is that even legal these days?

Yes. If you're in the United States, and your cellular service costs less than about $500 per year, you probably pay per outgoing message and per incoming message. This is especially common on pay-as-you-go carriers such as Virgin.

Re:So essentially the phone is my security credent

[chihowa]

Sniffing the SMS message from the air is obscure enough to expect it to not happen often, but yanking the SIM card from the smartphone will enable you to receive SMS messages without having to bypass the phone's lockscreen. Almost nobody enables the PIN lock on their SIM cards.

Re:Yahoo Mail has required a cell number since 201

[MrL0G1C]

Thankfully they're not forcing old users to supply phone number... yet, but they do nag.