Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Yahoo! Communications

Yahoo Mail Moves From Passwords To Push Notification Sign-Ins (tumblr.com) 78

An anonymous reader writes: A revamp of Yahoo Mail includes a new feature which eliminates the password from the sign-in process on mobile platforms, instead relying on the user's phone number as a token of authenticity. Notification-based sign-ins are a network-heavy commitment used with less frequency during some online banking authentication procedures, and by Google and others in specific events such as the need for a password reset. But Yahoo is well-motivated to improve security after a 2014 data breach led to a mass-reset of passwords for affected users.
This discussion has been archived. No new comments can be posted.

Yahoo Mail Moves From Passwords To Push Notification Sign-Ins

Comments Filter:
  • by Irate Engineer ( 2814313 ) on Saturday October 17, 2015 @09:45AM (#50749277)
    Yahoo Mail has been my throwaway email since about forever, and I have no desire for it to be anything other than that. Yahoo is in such straights now that I would have to read the fine print about what they'll be doing with my cell number and would be very leery about handing it to them. It wouldn't surprise me if this is less a security ploy than a data-mining revenue enhancement ploy.
    • by JustAnotherOldGuy ( 4145623 ) on Saturday October 17, 2015 @10:20AM (#50749373)

      I would have to read the fine print about what they'll be doing with my cell number and would be very leery about handing it to them.

      Same here, with the added caveat that "terms and conditions are subject to change". In other words, once they have it they can basically do whatever they want with it and good luck trying to stop them.

      "Sorry, didn't you read out new TOS? It explicitly states that we can now sell your phone number to the Mobile Marketing Ad Group in India and Bahrain and Brazil and Mexico and Russia and anywhere else we fucking feel like it."

      • by Mashiki ( 184564 )

        That'll work out really well, especially for those on prepay plans where you get charged $0.25 text message. Well if yahoo wants to commit sudoku they're doing a fine job.

        • Well they'll need to juggle a lot of numbers...

        • Well you need a computer more modern than a PDP-11, so it's going to limit the number of potential users.

          Seriously, you pay for texting by the message? Is that even legal these days?

          • And although Japanese isn't my strong suit - I think you mean seppuku rather than soduki (the puzzle game).

            • And although Japanese isn't my strong suit - I think you mean seppuku rather than soduki (the puzzle game).

              It's a fairly common Internet meme/joke. Like, "So I did a 360 and walked away."

          • Us less-communicative, non-rich people pay per text on pay as you go plans to save money. At 10 cents a text/minute, my bill works out to $5-$10 per month.

          • Seriously, you pay for texting by the message? Is that even legal these days?

            Yes. If you're in the United States, and your cellular service costs less than about $500 per year, you probably pay per outgoing message and per incoming message. This is especially common on pay-as-you-go carriers such as Virgin.

          • by Mashiki ( 184564 )

            Seriously, you pay for texting by the message? Is that even legal these days?

            It is in Canada and the US. If you're not blowing $30+mo on your cell you're paying for incoming and outgoing text messages, unless the company you're with gives incoming texts for free.

            And no, commit sudoku. [knowyourmeme.com]

        • Well if yahoo wants to commit sudoku they're doing a fine job.

          This needs to be put into the Slashdot random comments.

    • by Anonymous Coward

      They are most likely trying to save on support costs from users who forget their passwords or who used weak passwords and had their accounts hijacked.

      Moving security into "something that you have" rather than "something that you know" involves different tradeoffs and is still weak compared to two factor, but, honestly, given most users it probably increases security. If they're using SMS, it leaves people wide open to sophisticated attackers, though.

    • Go to mail.yahoo.com and try to sign up for a throwaway email like you used to. It demands a cell number and if you don't hand it over, no "free" email for you!

      This cell number requirement applies to Flickr and any other form of yahoo account. This started about 2 years ago.

    • by SeaFox ( 739806 )

      Yahoo Mail has been my throwaway email since about forever, and I have no desire for it to be anything other than that.

      That's probably half their thinking here -- find a way to get rid of the users who are just using them for a spam account so they have more network resources for the "real" users with email coming in that's worth data-mining.

    • Yahoo is in such straights

      Straits. The ephemism refers to narrow, hard to navigate passages of water, not to uncurved lines...

    • I have a really old Yahoo! mail account, and it just never stops receiving spam. Your usage of it is correct.
    • by Reziac ( 43301 ) *

      Same here.

      And what happens when your phone is lost or stolen??

  • I hope they've taken SIM cloning into account. Myself, I prefer TOTP authentication using software like Google Authenticator or a hardware dongle (downside: finding hardware that supports multiple accounts on multiple services).

    • And, silly though it may sound, simply changing your phone number. A lot of people will think that this is great, and they'll use it, but then they'll want to change their phone number for one reason or another and then... Whooops.

      • then they'll want to change their phone number for one reason or another and then... Whooops.

        You can switch to a new phone number by answering the security questions.

        • by SeaFox ( 739806 )

          You can switch to a new phone number by answering the security questions.

          You'd be surprised how many people can't answer the security questions they set up themselves.

  • by Anonymous Coward

    It's easier, but not really better.

    With two-factor auth, password and push notification/sms/whatever, you still need to know the password. I can keylog your password, but I still need to get access to your phone and the sms content, within the time-frame before the code expires.

    Now all you need is access (exploit, backdoor or physical) to the phone/tablet/milk jug.

  • NO, I do NOT want to receive a fucking text message every time I need to login somewhere.

    Fuck you, Yahoo, it's no wonder why you have the craptastic reputation you do.

    • Re: No, No No No (Score:3, Interesting)

      by Anonymous Coward

      Think of all the benefits.

      1) Your phone number indicates your country unambiguously, so they can separate that legally pesky US data from free-for-the-hoovering foreign intel.

      2) Your phone number ties into credit identities somewhere along the line, unless you paid cash for a burner. But most targets won't have that kind of foresight. This makes your PRISM strong-selector even stronger (and Yahoo is a partner in the PRISM consortium, so you get all the advantages that cooperation offers)!

      3) You won't want t

    • by Anonymous Coward
      Am I the only one that read the article instead of jumping to outrageous assumptions? Nowhere does it say it's forcing you to use this, and why would it send a text? It says PUSH notifications, which would be through the Yahoo app.
  • by QuietLagoon ( 813062 ) on Saturday October 17, 2015 @10:20AM (#50749371)
    So if someone gets my phone, they can access my Yahoo accounts because all the knowledge needed to access my Yahoo accounts is contained on the phone and/or Yahoo will message it to the phone.

    .
    What am I missing? This does not sound more secure at all.

    • Yahoo assumes that your phone is protected. This is going to be a problem between friends and lovers who love to share their stuff but not their social media accounts.
      • Yahoo assumes that your phone is protected. This is going to be a problem between friends and lovers who love to share their stuff but not their social media accounts.

        Or if your phone is stolen...

        The people "running" Yahoo really seem to have no idea what they're doing. I hope that at least they make this an optional service and not a forced change for everyone.

        • by Threni ( 635302 )

          How is that different to having your android phone stolen, where you have gmail, facebook etc etc open, logged into etc all the time?

          • How is that different to having your android phone stolen, where you have gmail, facebook etc etc open, logged into etc all the time?

            I don't use a smart phone and I don't use facebook, gmail, etc etc, so for me it's not a problem.

            Everyone else is free to do whatever strikes their fancy.

            My point is I don't want a text every time I need to login to something.

    • by unrtst ( 777550 )

      So if someone gets my phone, they can access my Yahoo accounts because all the knowledge needed to access my Yahoo accounts is contained on the phone and/or Yahoo will message it to the phone.

      AFAICT, that is the case, but it's actually much worse than you imply. Unless I'm missing something, they don't need access to your phone, but just access to your SMS, which is NOT a secure channel (it's quite obscure to most people, but it's not secure).

      On the other hand, and in their defense, all modern smart phones that I've seen only need to be unlocked from the lock screen (if they even have that turned on), and then you can access their email, facebook, etc etc etc without any additional auth. Even af

      • by chihowa ( 366380 )

        Sniffing the SMS message from the air is obscure enough to expect it to not happen often, but yanking the SIM card from the smartphone will enable you to receive SMS messages without having to bypass the phone's lockscreen. Almost nobody enables the PIN lock on their SIM cards.

    • They had to make a trade-off between security and convenience somewhere. How many times a year do you lose your phone, anyway?
    • I think the assumption is, if you have access to someone's phone, you have access to they yahoo mail as most smartphone users sync their mail to their phones.

  • by Ronin Developer ( 67677 ) on Saturday October 17, 2015 @10:55AM (#50749477)

    I use Yahoo! as a throw-away, personal email. Went to use their new notification basis. I never received the token as they claimed I would. Did switch to their SMS version for on-demand passwords. That, actually, did work. Perhaps, the other system is working now and was just experiencing high demand/load issues due to all their users giving it a shot. But, after getting locked out three times trying to use this "feature", I don't think I will try it again anytime soon.

  • Ready for the spam? (Score:5, Informative)

    by holophrastic ( 221104 ) on Saturday October 17, 2015 @11:29AM (#50749587)

    Welcome to allowing anyone to make my phone beep a thousand times every minute while I'm at dinner.

    What do you think my father is going to do when his phone asks for authorization that he didn't instigate? He's going to call me saying that his e-mail is being hacked. ...and when it happens a dozen times an hour, he's going to accidentally authorize something -- and then have no idea what's happened as a result.

  • by 140Mandak262Jamuna ( 970587 ) on Saturday October 17, 2015 @11:30AM (#50749589) Journal
    I have a mobile data plan in the USA. How would this work when I go out of the country? Does it work on WiFi?
  • So does this mean that all one has to do to obtain all of a corporation's most valued secrets is to steal the CEO's phone?

  • ... phone numbers are secure and can't be cloned. Yeah, right.

    Ever heard of someone being swatted [wikipedia.org]?

  • I've had my yahoo email since 1997, back when Yahoo didn't suck. Time to go. I'll now have no reason to visit yahoo ever again.

    • by SeaFox ( 739806 )

      You haven't had a reason to visit Yahoo for awhile if you can set up an IMAP client.

  • But Yahoo are well-motivated to improve security after a 2014 data breach led to a mass-reset of passwords for affected users

    It sounds like they are pushing the burden on their users rather than solving the problem of their own security.

  • When I travel I always get a local SIM so as to avoid the roaming fees. This means a new mobile number. This is okay as I never really use my mobile to make actual phone calls any more, it's all about data for me.

    Auth systems that rely on my mobile number being constant and abailsble are thus utterly useless to me.

  • Does anyone actually have a reference to an article describing SPECIFICALLY how it works? Yahoo is being REALLY vague in their press releases, presumably to keep the plebs from getting confused or concerned. (All they say is "look, easy and safe".)

    Everyone here is assuming they're sending an SMS code, but the descriptions from Yahoo read like this:

    > To sign in, you'll just need to tap "Yes" on the notification we send to your phone.

    Are they using MMS? (Multi Media Texts?)

    Is their App reading your text

    • by ckedge ( 192996 )

      ( self reply because this is slashdot without edit ability )

      Oh ffs, this has nothing to do with signing into Yahoo ON your mobile phone.

      > After set-up is complete, users will only have to type in their Yahoo Mail addresses when logging in from a new browser or device to prompt the Account Key log-in process. Yahoo will send a push notification to their smartphone where they can simply hit âoeyesâ to allow the new login. If users tap the notification theyâ(TM)ll be taken to a screen with mo

      • by ckedge ( 192996 )

        Correction - this is one factor with the one factor being possession of a separate physical device.

"Gotcha, you snot-necked weenies!" -- Post Bros. Comics

Working...