Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Yahoo Kills Passwords in Multiple Mobile Apps

Yahoo has expanded its password-free approach to user security to more applications for Android and iOS devices, namely Yahoo Finance, Fantasy, Messenger, and Sports.

Yahoo has expanded its password-free approach to user security to more applications for Android and iOS devices, namely Yahoo Finance, Fantasy, Messenger, and Sports.

Last October, the company debuted a new sign-in process for its mobile users, allowing them to login into their accounts without having to enter their passwords. Dubbed Yahoo! Account Key, the sign-in process was launched in Yahoo Mail for Android and iOS, providing users with the possibility to easily and securely sign into their accounts using their mobile phones.

Basically, the Account Key allows users to authenticate through messages sent to their smartphones, which ask for confirmation to grant online access. As soon as users approve these push notifications, they are immediately signed in, and the operation is performed each time they want to login from their mobile device.

At the moment, Account Key works with Yahoo Finance, Fantasy, Mail, Messenger, and Sports for iOS or Android, Lovlesh Chhabra, Product Manager, Yahoo, explains in a blog post. Moreover, he notes that users can set the new sign in process easily, directly from their smartphones.

To get started, users first need to login into the Yahoo Mail mobile app, then tap the top left menu icon on Android, or the profile icon in the top right of the navigation bar, on iOS. Next, users should tap the key icon next to their account, select Set up Account Key, and follow the steps.

In Yahoo Sports, Finance or other Yahoo apps, after login, users should tap the top left menu icon, then tap the key icon next to their account if they are on Android, or go to Tools and select Account Key from the list, if they are on an iOS device. Next, they should tap Set up Account Key and follow the steps.

As soon as the process has been completed, users will receive the push notification on their mobile application when trying to sign in from their desktops. They simply need to approve the notification to sign it, and make sure they don’t sign out of the app or turn off notifications, since such actions will prevent Account Key from working properly.

Yahoo Account Key, which is essentially two-step authentication, still requires users to type in their account names, but does not require them to provide their passwords. As Travis Greene, Identity Solutions Strategist at NetIQ, explains in a SecurityWeek column, the approach takes full advantage of the availability and power of mobile devices.

Advertisement. Scroll to continue reading.

However, Greene also explains that the approach does not replace two-step authentication systems, because it relies on a single factor, although he agrees with Yahoo’s claim that this process is more secure. Even so, he still questions the architecture that Yahoo uses in this new sign in process.

“What is unknown is how the interaction between the app and Yahoo’s servers is managed. Is the user approval encrypted, for example? How susceptible would this be to a man in the middle attack? Regardless, Yahoo has a point. Passwords are more susceptible to undetected theft than physical devices. But we can’t know for certain how much more secure this approach is until we know the architecture details,” Greene says.

Related: Is Yahoo’s New Account Key the Future of Authentication?

 

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...