Yahoo Mail Moves From Passwords To Push Notification Sign-Ins

An anonymous reader writes: A revamp of Yahoo Mail includes a new feature which eliminates the password from the sign-in process on mobile platforms, instead relying on the user's phone number as a token of authenticity. Notification-based sign-ins are a network-heavy commitment used with less frequency during some online banking authentication procedures, and by Google and others in specific events such as the need for a password reset. But Yahoo is well-motivated to improve security after a 2014 data breach led to a mass-reset of passwords for affected users.

Selling Cell Numbers to Advertisers?

[Irate+Engineer]

Yahoo Mail has been my throwaway email since about forever, and I have no desire for it to be anything other than that. Yahoo is in such straights now that I would have to read the fine print about what they'll be doing with my cell number and would be very leery about handing it to them. It wouldn't surprise me if this is less a security ploy than a data-mining revenue enhancement ploy.

Re:Selling Cell Numbers to Advertisers?

[JustAnotherOldGuy]

I would have to read the fine print about what they'll be doing with my cell number and would be very leery about handing it to them.

Same here, with the added caveat that "terms and conditions are subject to change". In other words, once they have it they can basically do whatever they want with it and good luck trying to stop them.

"Sorry, didn't you read out new TOS? It explicitly states that we can now sell your phone number to the Mobile Marketing Ad Group in India and Bahrain and Brazil and Mexico and Russia and anywhere else we fucking feel like it."

Re: Selling Cell Numbers to Advertisers?

[MenThal]

Well they'll need to juggle a lot of numbers...

So essentially the phone is my security credential

[QuietLagoon]

So if someone gets my phone, they can access my Yahoo accounts because all the knowledge needed to access my Yahoo accounts is contained on the phone and/or Yahoo will message it to the phone.

.
What am I missing? This does not sound more secure at all.

Ready for the spam?

[holophrastic]

Welcome to allowing anyone to make my phone beep a thousand times every minute while I'm at dinner.

What do you think my father is going to do when his phone asks for authorization that he didn't instigate? He's going to call me saying that his e-mail is being hacked. ...and when it happens a dozen times an hour, he's going to accidentally authorize something -- and then have no idea what's happened as a result.

Well, what happens when I go to India?

[140Mandak262Jamuna]

I have a mobile data plan in the USA. How would this work when I go out of the country? Does it work on WiFi?

Re:SIM cloning

[fahrbot-bot]

You can switch to a new phone number by answering the security questions.

You'd be surprised how many people can't answer the security questions they set up themselves.

Not me! My security question is: "What is your security question?"

Re: No, No No No

Think of all the benefits.

1) Your phone number indicates your country unambiguously, so they can separate that legally pesky US data from free-for-the-hoovering foreign intel.

2) Your phone number ties into credit identities somewhere along the line, unless you paid cash for a burner. But most targets won't have that kind of foresight. This makes your PRISM strong-selector even stronger (and Yahoo is a partner in the PRISM consortium, so you get all the advantages that cooperation offers)!

3) You won't want to jump through the login hoops often, so you'll stay logged in to Yahoo in your browser and won't clear your cookies, supercookies, etc. That makes it easier for Yahoo to track your progress through the web via tracking beacons.