Security Experts:

Yahoo Kills Passwords in Multiple Mobile Apps

Yahoo has expanded its password-free approach to user security to more applications for Android and iOS devices, namely Yahoo Finance, Fantasy, Messenger, and Sports.

Last October, the company debuted a new sign-in process for its mobile users, allowing them to login into their accounts without having to enter their passwords. Dubbed Yahoo! Account Key, the sign-in process was launched in Yahoo Mail for Android and iOS, providing users with the possibility to easily and securely sign into their accounts using their mobile phones.

Basically, the Account Key allows users to authenticate through messages sent to their smartphones, which ask for confirmation to grant online access. As soon as users approve these push notifications, they are immediately signed in, and the operation is performed each time they want to login from their mobile device.

At the moment, Account Key works with Yahoo Finance, Fantasy, Mail, Messenger, and Sports for iOS or Android, Lovlesh Chhabra, Product Manager, Yahoo, explains in a blog post. Moreover, he notes that users can set the new sign in process easily, directly from their smartphones.

To get started, users first need to login into the Yahoo Mail mobile app, then tap the top left menu icon on Android, or the profile icon in the top right of the navigation bar, on iOS. Next, users should tap the key icon next to their account, select Set up Account Key, and follow the steps.

In Yahoo Sports, Finance or other Yahoo apps, after login, users should tap the top left menu icon, then tap the key icon next to their account if they are on Android, or go to Tools and select Account Key from the list, if they are on an iOS device. Next, they should tap Set up Account Key and follow the steps.

As soon as the process has been completed, users will receive the push notification on their mobile application when trying to sign in from their desktops. They simply need to approve the notification to sign it, and make sure they don’t sign out of the app or turn off notifications, since such actions will prevent Account Key from working properly.

Yahoo Account Key, which is essentially two-step authentication, still requires users to type in their account names, but does not require them to provide their passwords. As Travis Greene, Identity Solutions Strategist at NetIQ, explains in a SecurityWeek column, the approach takes full advantage of the availability and power of mobile devices.

However, Greene also explains that the approach does not replace two-step authentication systems, because it relies on a single factor, although he agrees with Yahoo’s claim that this process is more secure. Even so, he still questions the architecture that Yahoo uses in this new sign in process.

“What is unknown is how the interaction between the app and Yahoo’s servers is managed. Is the user approval encrypted, for example? How susceptible would this be to a man in the middle attack? Regardless, Yahoo has a point. Passwords are more susceptible to undetected theft than physical devices. But we can’t know for certain how much more secure this approach is until we know the architecture details,” Greene says.

Related: Is Yahoo's New Account Key the Future of Authentication?

 

view counter