Yahoo's simple - but not necessarily secure - new way to log in

Yahoo SMSDo you find it difficult to remember your Yahoo password?

Don't worry - Yahoo has come up with a solution for those who haven't yet discovered the benefit of using a password manager.

Yes, everybody's fourth favourite search engine has announced what it call as "a new, simple way to log in".

Chris Stoner, Director of Product Management at Yahoo, gushes that rather than require you to remember your password, the site will now send you an SMS text message containing a one-time password:

Today, we’re hoping to make that process less anxiety-inducing by introducing on-demand passwords, which are texted to your mobile phone when you need them. You no longer have to memorize a difficult password to sign in to your account - what a relief!

In some ways, that sounds quite cool. For instance, if you needed to log into your Yahoo Mail account on a suspicious computer in a hotel lobby you might (quite rightly) feel very uncomfortable entering your password on a PC that might be harbouring some keypress-logging malware.

With a one-time-password you don't have to worry so much about bad guys grabbing it, as it is only useful that "one-time". And provided your smartphone isn't itself compromised (perhaps by spyware), hackers are unlikely to be able to grab the unique passcode for unlocking your account.

But there's a problem with only requiring you to have your mobile phone to log into your Yahoo account, and it's this... what if someone else has your phone?

Can you put your hand on your heart and say that you have never left your phone unattended somewhere? Never walked away from your desk to make a quick visit to the water cooler, and left your iPhone sitting on your desk?

iPhone on desk

If access to your online accounts is only controlled by who has access to your phone - that's not a good thing! All an unauthorised user would need is your Yahoo username and their paws on your mobile.

Remember too - depending on how you have configured your smartphone, someone may not even need to unlock your device to read the SMS message it has just received from Yahoo.

Or perhaps you're one of those twerps who doesn't even have a passcode on your smartphone?

At the very least, expect the office pranksters in your office or college to try to abuse the system to gain access to your account.

Fortunately, there don't appear to be any plans to enable this feature on user's accounts without their permission. You'll have to log into your account with an old-fashioned username and passwords to turn it on.

Here are the instructions from Yahoo on how to do that (if you dare):

1) Sign in to your Yahoo.com account.

2) Click on your name at the top right corner to go to your account information page.

3) Select “Security” in the left bar.

4) Click on the slider for “On-demand passwords” to opt-in.

5) Enter your phone number and Yahoo will send you a verification code.

6) Enter the code and voila!

Yahoo on-demand password

Yahoo says that "on-demand passwords" are only currently available for United States users, but presumably they plan to roll it across more countries over time.

Personally, rather than making things "simple" for users who cannot remember their passwords, I would have preferred to have seen Yahoo promoting the usage of password management software like Bitwarden, 1Password, and KeePass which would similarly make it unnecessary to remember passwords... and perhaps encourage stronger, unique passwords at the same time.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

12 Responses

  1. Lenny Zeltser

    March 16, 2015 at 7:03 pm #

    Graham,

    You bring up a valid concern regarding the security weakness of on-demand passwords tied to the person's phone being used by an authorized party. Overall, though, I think the new authentication scheme lowers the risk of most people's Yahoo logon credentials being misused. I touched upon my perspective on the topic here: https://zeltser.com/yahoo-on-demand-passwords/

    • Coyote in reply to Lenny Zeltser.

      March 17, 2015 at 10:09 pm #

      It is great – but not by itself. One might argue that most log in through their phone but that is an assumption and it still doesn't consider other uses. It is worse, actually, with it being the phone only: if they already have the phone in order to log in (and that is the device they use), then what this does is, it makes the job of the would-be snoop much easier; they don't have to worry about the password, they only need to receive the key from Yahoo. I think that is the problem and to put it another way, assuming that the password was stolen/intercepted, this system removes the additional layer of security (for whatever it may be) that might have existed but this actually replaces that. I suppose the good thing, to give credit to Yahoo (however misguided it is because many will make use of this feature), is that they're not making this a requirement nor the default.

  2. Anon

    March 16, 2015 at 7:05 pm #

    An additional security danger lurks if the user's mobile is being monitored by malware. There are a lot of applications out there allowing remote access and such an SMS could be requested and deleted before it presented itself on the handset.

    A rogue employee at the mobile company could access the text message: providing they knew the user's email address.

    Or a suitably competent person could intercept all messages sent to a particular number and selectively allow/disallow certain messages thereby enabling them to login.

    I don’t like ‘security’; this system offers.

    Another story is that Yahoo are offering end-to-end encryption (although because it’s controlled by them they will still be able to access your messages). More security theatre.

    • Coyote in reply to Anon.

      March 16, 2015 at 9:09 pm #

      Or equally – rogue towers… with features including forcing (without the user knowing) the downgrade encryption (on your later remark on encryption).

      What a lot of people don't realise is that what they say/share/do/etc. isn't as private as they think (or would like and deserve), and they also don't understand the full implications (and even those who do are bound to be careless at times). Best choice is to assume that you can trust only yourself, when it comes to your own safety/security/privacy. Like it or not, that's just how it is (and while it would be nice if you didn't have to worry so much about these things [and even better would be if others weren't out to abuse/steal/destroy/etc.], at least it is you in control of what you share/etc. [maybe to an extent only in your control?] rather than someone else; it might not make matters better but at least it isn't entirely up to the others).

  3. Coyote

    March 16, 2015 at 8:58 pm #

    This idea is like using a securid card but only the card. A one time password has merits but not by itself. Essentially they are allowing the phone to authenticate for you, rather than you authenticate and then also have a one time password. You can argue that the login form is insecure, that users will have weak passwords already, and they want it easier (which with perhaps the exception of the first, is exactly how most would want it[1]). But as for security, I'm afraid that the two don't mix so well: it is very difficult to balance convenience and security without making the system too weak and simultaneously preventing the users from working around the large amount of hurdles. But the administrators (and/or those creating the policy) are often equally to blame (or certainly not helping matters, as below).

    [1] I can't say I don't understand, though. Some policies are so strict, misguided/ignorant and consequently aren't helping matters (and actually make matters worse because people will find ways to simplify it if it becomes too much of a hassle). Human nature and despite the complaints, attacks and whatever else that are directed at users (sometimes have valid points but awareness is far more important than blaming others – constructive criticism instead of criticism), many policies are responsible for these problems (and those making those policies should rather work on improving things rather than simply blaming others [where this happens]).

  4. Bhavin

    March 17, 2015 at 12:35 pm #

    A better method, resulting in strong Two Factor Authentication, would be to append the code received by the mobile ("what you have") with one's password ("what you know").

    For smartphones with fingerprint or other biometric recognition ("what you are"), we could get strong Three Factor Authentication. With a GPS service ("where you are"), we could get strong Four Factor Authentication.

    We also need to consider the above single-factor one-time password (OTP), delivered on a mobile, in the context of the value of the information being protected. In most cases, the OTP may be sufficient. In other cases, after a suitable (informal or formal) Risk Assessment, it may be necessary to strengthen the authentication process in accordance with the acceptable threshold of risk.

  5. David L

    March 17, 2015 at 7:08 pm #

    Grahams right,strong password,and THEN a two factor code. I do it all the time,and like putting on a seatbelt,you get used to it,so as it becomes second nature.

    Google has posted their alpha code at github for the email security program they,Yahoo,Mozilla,and many others have been developing. So I expect that Yahoo will be improving on this issue in the near future,as they are a major contributor. They are not ready to implement yet,but sometime this year I suspect.

  6. Hitoshi Anatomi

    March 19, 2015 at 8:45 am #

    Yahoo may have succeeded to establish themselves as a business entity that people should not trust for everything relating to security.

  7. Daniel

    March 19, 2015 at 11:40 am #

    Graham,

    What if someone else has your wallet, or your home keys ?

    Currently a smartphone is a vault for our identity, for our photos and videos.

    Of course should be safer a dedicated app, instead of an SMS, but this could result in an uncontrolled proliferation of App for password replacement for each "vendor".

    At SingleID we solve this gap in a more elegant way. Passwords are only a boring step later the first boring step. Do form filling on a registration form.

    Have you ever think that each of us owns a smartphone able to do some wonderful things but that is still not able to doing form-filling for ourselves?

    At SingleID we are crazy enough to think that the current auth paradigm can be much safer, simpler and secure if only it were completely reversed.

    We shouldn't manually type our data on a form but, those who want our data should ask permission to read them from our smartphones

    take a look to our white-paper, to our App and to our playground test-forms on https://app.singleid.com

    best regards

    • Coyote in reply to Daniel.

      March 19, 2015 at 7:57 pm #

      And for those who don't have mobile phones ? Or when you're logging in through multiple hosts (bastion host etc.) ? Or if you're on a premise that doesn't receive cell signals ? Or the fact cell technology isn't exactly safe from snooping ? In other words, the idea is not at all that great if you're including changing it as a standard. Even then I'm not convinced it is the best idea. Looking at the white paper, and besides the suggestion there is no encryption (but still uses SSL …), I see a concerning statement:

      "It provides a dramatically better user experience and at the same time a higher security than existing password­-based platforms for identifying and authenticating users as it does not require a central trusted third party. SingleID also automates form-filling with a single-­click based on a pre-aggregated master form stored in the user’s smartphone app. "

      Automated filling out login credentials, or some other form? In any case, automated doesn't really mix with security, and certainly higher security is multiple layers, not removing layers as it seems you're suggesting (and don't forget that password is not the only layer in many environments; passwords – and plural is important here as I've already suggested – actually is one of the last layers [and some times the last layer] in each step, in some setups…)

      Of course, I won't tell you that you can't or shouldn't work on this; I'm only pointing out some issues with the idea (and it is obviously up to every individual to decide what works for them, security and otherwise, technology and every other part of their life).

      • Daniel in reply to Coyote.

        March 20, 2015 at 8:33 am #

        Thank you for taking time to read the specs of the project.

        The automate form filling task is done with your personal info and not with your credentials.

        For example in an e-commerce environment, credentials are only a shortcut to recover the data that you have previously typed like ( name, surname, address, billing data, … ), but if you are able to fill each time, with a single tap, a guest login form of 100 fields, you could be easily recognized as a "well-know guest user" and you do not need passwords.

        Moreover at the end the transaction the merchant could also delete you credit card information from database because the next time you will give again.

        The trick is to send every time all the data about you and not the credentials.

        To make a long story short:

        We divide the spectrum of accounts (and so their security requirements) in three levels:

        Users might create *Throw-away accounts* on the spur of the moment for testing, participating in a pseudo-anonymous conversation thread, or making a one-time purchase without saving payment credentials but with provision for checking order status. Maybe this is the most boring user experience also because is the most frequently. We can give a completely friction-less experience on this type of account working as 1-factor (something-you-have) authentication.
        (Currently the White-Paper cover only this type of accounts)

        *Routine accounts* are intended to be long-lasting and to protect something of value but do not carry a risk of large financial or reputational loss. An example would be a subscription to an online newspaper.
        We’d like our authentication methods to be convenient enough to apply to routine accounts simply storing inside your device also a digital signatures related to your profile created from a Certificate Authority.
        (We are looking for a CA at this stage)

        *Sensitive accounts* include an individual’s primary email or online banking accounts. Here, loss of data, either by deletion or public exposure, is commonly found to have severe and sometimes unforeseen consequences. This type of account needs only a special first handshake with your SingleID compliant device
        (This step will be done during the next month)

        I'm sure that we cannot cover the 100% of the use cases but also cover the 90% would be huge success ;-)

        best regards

        • Coyote in reply to Daniel.

          March 23, 2015 at 11:18 pm #

          I must confess I didn't expect you to respond. Still, to continue (briefly as I have to run):

          "The automate form filling task is done with your personal info and not with your credentials."

          … is a problem. That information is easily found and is the source of many social engineering attacks (successful ones) (it is true though, that SE might not be relevant here, but it is true that it is made easy by it being far too simple to find others contact information). Sure, you might only have on a certain device but if there is ever a chance – and for example, with phones this would exist – of the device being in another person's hands (this also applies to computers and that is besides laptops), then the automated steps is a problem, by itself. Yes, multiple layers is important but a layer that is automated isn't really helpful (granted, with some kinds of accounts – email for example – automatic login is allowed, so this is up to interpretation) by itself.

          "you could be easily recognized as a "well-know guest user" and you do not need passwords."
          .. that's the problem, in the end.

          Still, I can't remember everything I saw earlier, and I do have to dash, so I'll just summarise with simply this: if you rely too much on automation you're more likely to have problems. This isn't just for security, but it does apply for security too. The more you rely on automation, the less you have to think, the more the system can be abused, and in the end you sacrifice security for convenience (and yes, too much of a hassle is also a problem, and some administrators do not understand this [which is why I specifically bring this up – I recognise this problem as an administrator] and they are not helping matters). As you say, you cannot cover all cases, but I still would have concerns with no passwords (unless there is something else like a private key), and automation in general. But that's fine – if others want it, then that is their decision. I would hope – and seeing as how you took my message in (and it seems different native language which might make it more difficult), this might indeed apply – that you do a lot of extensive analysis, testing and plan before implementation (this includes your staff as well as having others test it as a user, and maybe have it audited). So much for a summary…

Leave a Reply