Yahoo Mail Moves From Passwords To Push Notification Sign-Ins (tumblr.com) 78
An anonymous reader writes: A revamp of Yahoo Mail includes a new feature which eliminates the password from the sign-in process on mobile platforms, instead relying on the user's phone number as a token of authenticity. Notification-based sign-ins are a network-heavy commitment used with less frequency during some online banking authentication procedures, and by Google and others in specific events such as the need for a password reset. But Yahoo is well-motivated to improve security after a 2014 data breach led to a mass-reset of passwords for affected users.
Selling Cell Numbers to Advertisers? (Score:5, Insightful)
Re:Selling Cell Numbers to Advertisers? (Score:5, Insightful)
I would have to read the fine print about what they'll be doing with my cell number and would be very leery about handing it to them.
Same here, with the added caveat that "terms and conditions are subject to change". In other words, once they have it they can basically do whatever they want with it and good luck trying to stop them.
"Sorry, didn't you read out new TOS? It explicitly states that we can now sell your phone number to the Mobile Marketing Ad Group in India and Bahrain and Brazil and Mexico and Russia and anywhere else we fucking feel like it."
Re: (Score:2)
That'll work out really well, especially for those on prepay plans where you get charged $0.25 text message. Well if yahoo wants to commit sudoku they're doing a fine job.
Re: Selling Cell Numbers to Advertisers? (Score:3, Funny)
Well they'll need to juggle a lot of numbers...
Re: (Score:1)
Well you need a computer more modern than a PDP-11, so it's going to limit the number of potential users.
Seriously, you pay for texting by the message? Is that even legal these days?
Re: (Score:2)
And although Japanese isn't my strong suit - I think you mean seppuku rather than soduki (the puzzle game).
Re: (Score:2)
And although Japanese isn't my strong suit - I think you mean seppuku rather than soduki (the puzzle game).
It's a fairly common Internet meme/joke. Like, "So I did a 360 and walked away."
Re: (Score:3)
Us less-communicative, non-rich people pay per text on pay as you go plans to save money. At 10 cents a text/minute, my bill works out to $5-$10 per month.
US prepaid users pay to receive SMS (Score:3)
Seriously, you pay for texting by the message? Is that even legal these days?
Yes. If you're in the United States, and your cellular service costs less than about $500 per year, you probably pay per outgoing message and per incoming message. This is especially common on pay-as-you-go carriers such as Virgin.
Re: (Score:2)
Seriously, you pay for texting by the message? Is that even legal these days?
It is in Canada and the US. If you're not blowing $30+mo on your cell you're paying for incoming and outgoing text messages, unless the company you're with gives incoming texts for free.
And no, commit sudoku. [knowyourmeme.com]
Re: (Score:2)
Well if yahoo wants to commit sudoku they're doing a fine job.
This needs to be put into the Slashdot random comments.
Re: (Score:2)
Commit sudoku. [knowyourmeme.com]
Re: (Score:1)
They are most likely trying to save on support costs from users who forget their passwords or who used weak passwords and had their accounts hijacked.
Moving security into "something that you have" rather than "something that you know" involves different tradeoffs and is still weak compared to two factor, but, honestly, given most users it probably increases security. If they're using SMS, it leaves people wide open to sophisticated attackers, though.
Yahoo Mail has required a cell number since 2013 (Score:1)
Go to mail.yahoo.com and try to sign up for a throwaway email like you used to. It demands a cell number and if you don't hand it over, no "free" email for you!
This cell number requirement applies to Flickr and any other form of yahoo account. This started about 2 years ago.
Re: (Score:3)
Thankfully they're not forcing old users to supply phone number... yet, but they do nag.
Re: (Score:2)
Yahoo Mail has been my throwaway email since about forever, and I have no desire for it to be anything other than that.
That's probably half their thinking here -- find a way to get rid of the users who are just using them for a spam account so they have more network resources for the "real" users with email coming in that's worth data-mining.
Re: (Score:2)
Straits. The ephemism refers to narrow, hard to navigate passages of water, not to uncurved lines...
Re: (Score:2)
Re: (Score:2)
Same here.
And what happens when your phone is lost or stolen??
Doesn't everybody have multiple Yahoo! accounts? (Score:2)
I keep several of them around to absorb different kinds of junk mail. One of them's for reading Flickr. Another's the contact account for the Gmail account I use for watching YouTube. Another's one I started giving vendors years ago. Another one's for reading Yahoo groups, which has something vaguely resembling my real name. I've probably forgotten a few others. And no, thanks, none of them need my Real Life Phone Number. If I forget the password for the one I read Flickr with, I can create another.
SIM cloning (Score:2)
I hope they've taken SIM cloning into account. Myself, I prefer TOTP authentication using software like Google Authenticator or a hardware dongle (downside: finding hardware that supports multiple accounts on multiple services).
Re: (Score:2)
And, silly though it may sound, simply changing your phone number. A lot of people will think that this is great, and they'll use it, but then they'll want to change their phone number for one reason or another and then... Whooops.
Re: (Score:2)
then they'll want to change their phone number for one reason or another and then... Whooops.
You can switch to a new phone number by answering the security questions.
Re: (Score:2)
You can switch to a new phone number by answering the security questions.
You'd be surprised how many people can't answer the security questions they set up themselves.
Re:SIM cloning (Score:5, Funny)
You can switch to a new phone number by answering the security questions.
You'd be surprised how many people can't answer the security questions they set up themselves.
Not me! My security question is: "What is your security question?"
I'm not sure (Score:1)
It's easier, but not really better.
With two-factor auth, password and push notification/sms/whatever, you still need to know the password. I can keylog your password, but I still need to get access to your phone and the sms content, within the time-frame before the code expires.
Now all you need is access (exploit, backdoor or physical) to the phone/tablet/milk jug.
No, No No No (Score:2, Insightful)
NO, I do NOT want to receive a fucking text message every time I need to login somewhere.
Fuck you, Yahoo, it's no wonder why you have the craptastic reputation you do.
Re: No, No No No (Score:3, Interesting)
Think of all the benefits.
1) Your phone number indicates your country unambiguously, so they can separate that legally pesky US data from free-for-the-hoovering foreign intel.
2) Your phone number ties into credit identities somewhere along the line, unless you paid cash for a burner. But most targets won't have that kind of foresight. This makes your PRISM strong-selector even stronger (and Yahoo is a partner in the PRISM consortium, so you get all the advantages that cooperation offers)!
3) You won't want t
Re: (Score:1)
So essentially the phone is my security credential (Score:5, Insightful)
.
What am I missing? This does not sound more secure at all.
Re: (Score:1)
Re: (Score:2)
Yahoo assumes that your phone is protected. This is going to be a problem between friends and lovers who love to share their stuff but not their social media accounts.
Or if your phone is stolen...
The people "running" Yahoo really seem to have no idea what they're doing. I hope that at least they make this an optional service and not a forced change for everyone.
Re: (Score:2)
You don't need the phone to receive text messages... just the SIM.
Re: (Score:1)
How is that different to having your android phone stolen, where you have gmail, facebook etc etc open, logged into etc all the time?
Re: (Score:2)
How is that different to having your android phone stolen, where you have gmail, facebook etc etc open, logged into etc all the time?
I don't use a smart phone and I don't use facebook, gmail, etc etc, so for me it's not a problem.
Everyone else is free to do whatever strikes their fancy.
My point is I don't want a text every time I need to login to something.
Re: (Score:2)
No different than if someone steals your wallet and you have to cancel your credit cards.
My credit card requires a PIN. So it is different.
Re: (Score:2)
That's called a "debit card".
No, it is a credit card with a PIN. I still have all the protections that a credit card provides.
.
A PIN is optional on credit cards with the 'chip', however, some credit card providers are requiring the PIN. Most, if not all, of the credit card companies will be requiring the PIN sooner than later.
Re: (Score:2)
So if someone gets my phone, they can access my Yahoo accounts because all the knowledge needed to access my Yahoo accounts is contained on the phone and/or Yahoo will message it to the phone.
AFAICT, that is the case, but it's actually much worse than you imply. Unless I'm missing something, they don't need access to your phone, but just access to your SMS, which is NOT a secure channel (it's quite obscure to most people, but it's not secure).
On the other hand, and in their defense, all modern smart phones that I've seen only need to be unlocked from the lock screen (if they even have that turned on), and then you can access their email, facebook, etc etc etc without any additional auth. Even af
Re: (Score:3)
Sniffing the SMS message from the air is obscure enough to expect it to not happen often, but yanking the SIM card from the smartphone will enable you to receive SMS messages without having to bypass the phone's lockscreen. Almost nobody enables the PIN lock on their SIM cards.
Re: (Score:1)
Re: (Score:1)
I think the assumption is, if you have access to someone's phone, you have access to they yahoo mail as most smartphone users sync their mail to their phones.
It wasn't working (Score:3)
I use Yahoo! as a throw-away, personal email. Went to use their new notification basis. I never received the token as they claimed I would. Did switch to their SMS version for on-demand passwords. That, actually, did work. Perhaps, the other system is working now and was just experiencing high demand/load issues due to all their users giving it a shot. But, after getting locked out three times trying to use this "feature", I don't think I will try it again anytime soon.
Ready for the spam? (Score:5, Informative)
Welcome to allowing anyone to make my phone beep a thousand times every minute while I'm at dinner.
What do you think my father is going to do when his phone asks for authorization that he didn't instigate? He's going to call me saying that his e-mail is being hacked. ...and when it happens a dozen times an hour, he's going to accidentally authorize something -- and then have no idea what's happened as a result.
Well, what happens when I go to India? (Score:4, Interesting)
So Does This Mean (Score:2)
So does this mean that all one has to do to obtain all of a corporation's most valued secrets is to steal the CEO's phone?
Because .... (Score:2)
Ever heard of someone being swatted [wikipedia.org]?
Re: (Score:3)
The phone phreaks have figured out lots of tricks with call forwarding, etc. And home brewed versions of Stingray/IMSI catchers that can do MITM attacks. The phone systems are pretty insecure (probably by design. Thank your local Five Eyes TLA organization).
Well, I now have an excuse to change email. (Score:2)
I've had my yahoo email since 1997, back when Yahoo didn't suck. Time to go. I'll now have no reason to visit yahoo ever again.
Re: (Score:2)
You haven't had a reason to visit Yahoo for awhile if you can set up an IMAP client.
Improving security? (Score:2)
But Yahoo are well-motivated to improve security after a 2014 data breach led to a mass-reset of passwords for affected users
It sounds like they are pushing the burden on their users rather than solving the problem of their own security.
Thus making it impossible to check email when abro (Score:2)
When I travel I always get a local SIM so as to avoid the roaming fees. This means a new mobile number. This is okay as I never really use my mobile to make actual phone calls any more, it's all about data for me.
Auth systems that rely on my mobile number being constant and abailsble are thus utterly useless to me.
How specifically does it work? (Score:2)
Does anyone actually have a reference to an article describing SPECIFICALLY how it works? Yahoo is being REALLY vague in their press releases, presumably to keep the plebs from getting confused or concerned. (All they say is "look, easy and safe".)
Everyone here is assuming they're sending an SMS code, but the descriptions from Yahoo read like this:
> To sign in, you'll just need to tap "Yes" on the notification we send to your phone.
Are they using MMS? (Multi Media Texts?)
Is their App reading your text
Re: (Score:2)
( self reply because this is slashdot without edit ability )
Oh ffs, this has nothing to do with signing into Yahoo ON your mobile phone.
> After set-up is complete, users will only have to type in their Yahoo Mail addresses when logging in from a new browser or device to prompt the Account Key log-in process. Yahoo will send a push notification to their smartphone where they can simply hit âoeyesâ to allow the new login. If users tap the notification theyâ(TM)ll be taken to a screen with mo
Re: (Score:1)
Correction - this is one factor with the one factor being possession of a separate physical device.