Connect with us

Hi, what are you looking for?


Identity & Access

Another Potential Victim of the Yahoo! Breach: Federated Login

Password proliferation is bad, for many, many, many reasons. But the worst reason is that people tend to re-use passwords all over the place.

Password proliferation is bad, for many, many, many reasons. But the worst reason is that people tend to re-use passwords all over the place. It’s difficult if not impossible to keep all the various passwords straight that you need to bank, shop, do just about anything on the internet these days.

It turns out there is a better way to handle authentication than having individual usernames and passwords for every online account: federated login through massive consumer sites like Facebook, Google and Twitter and Yahoo!.

All of those “Login with Facebook” and “Login with Your Twitter ID” buttons across the Internet let people create accounts at a third party website via the OAuth protocol without surrendering their password. And these third party sites have accountability with the OAuth providers to not abuse the information they receive. Yes, in the early days of OAuth, there were some cases of abuse, such as harvesting and misusing friend lists, but today most OAuth clients just get your email address, which is all they really need to uniquely identify a consumer.

Login Services

In theory, a website could offer federation login via dozens of OAuth-providing social media sites. But in reality, a website designer really just wants to support the handful of mega sites like Facebook and Google that represent the largest number of users. For example, today Yelp offers federated logins only through Facebook.

This brings us to Yahoo!. The leak of half a billion user credentials is, of course, a big deal in and of itself, but another potential loss is the decrease in federated login options for consumers. After this breach, it’s likely we’ll be seeing fewer and fewer “Login with Yahoo!” buttons across the Internet.

And that’s too bad, really, because Yahoo! was trying to do some cool stuff with password-less authentication. The new(ish) Yahoo Account Key feature let users authenticate via a press of a button on their mobile phone rather than entering a password.

Yahoo Account Key

Given its still-enormous user base, the loss of a Yahoo! as a source of federated logins could be detrimental to the Internet. If Yahoo! does in fact get removed from the short list of OAuth identity providers, then that leaves just two mega sites: Google and Facebook. If either of these suffer a massive breach, then we’d be down to just one giant repository of consumer identities, and that is too few. 

Advertisement. Scroll to continue reading.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

NSA publishes recommendations on maturing identity, credential, and access management capabilities to improve cyberthreat protections.