Connect with us

Hi, what are you looking for?


Identity & Access

Yahoo Kills Passwords in Multiple Mobile Apps

Yahoo has expanded its password-free approach to user security to more applications for Android and iOS devices, namely Yahoo Finance, Fantasy, Messenger, and Sports.

Yahoo has expanded its password-free approach to user security to more applications for Android and iOS devices, namely Yahoo Finance, Fantasy, Messenger, and Sports.

Last October, the company debuted a new sign-in process for its mobile users, allowing them to login into their accounts without having to enter their passwords. Dubbed Yahoo! Account Key, the sign-in process was launched in Yahoo Mail for Android and iOS, providing users with the possibility to easily and securely sign into their accounts using their mobile phones.

Basically, the Account Key allows users to authenticate through messages sent to their smartphones, which ask for confirmation to grant online access. As soon as users approve these push notifications, they are immediately signed in, and the operation is performed each time they want to login from their mobile device.

At the moment, Account Key works with Yahoo Finance, Fantasy, Mail, Messenger, and Sports for iOS or Android, Lovlesh Chhabra, Product Manager, Yahoo, explains in a blog post. Moreover, he notes that users can set the new sign in process easily, directly from their smartphones.

To get started, users first need to login into the Yahoo Mail mobile app, then tap the top left menu icon on Android, or the profile icon in the top right of the navigation bar, on iOS. Next, users should tap the key icon next to their account, select Set up Account Key, and follow the steps.

In Yahoo Sports, Finance or other Yahoo apps, after login, users should tap the top left menu icon, then tap the key icon next to their account if they are on Android, or go to Tools and select Account Key from the list, if they are on an iOS device. Next, they should tap Set up Account Key and follow the steps.

As soon as the process has been completed, users will receive the push notification on their mobile application when trying to sign in from their desktops. They simply need to approve the notification to sign it, and make sure they don’t sign out of the app or turn off notifications, since such actions will prevent Account Key from working properly.

Advertisement. Scroll to continue reading.

Yahoo Account Key, which is essentially two-step authentication, still requires users to type in their account names, but does not require them to provide their passwords. As Travis Greene, Identity Solutions Strategist at NetIQ, explains in a SecurityWeek column, the approach takes full advantage of the availability and power of mobile devices.

However, Greene also explains that the approach does not replace two-step authentication systems, because it relies on a single factor, although he agrees with Yahoo’s claim that this process is more secure. Even so, he still questions the architecture that Yahoo uses in this new sign in process.

“What is unknown is how the interaction between the app and Yahoo’s servers is managed. Is the user approval encrypted, for example? How susceptible would this be to a man in the middle attack? Regardless, Yahoo has a point. Passwords are more susceptible to undetected theft than physical devices. But we can’t know for certain how much more secure this approach is until we know the architecture details,” Greene says.

Related: Is Yahoo’s New Account Key the Future of Authentication?


Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

NSA publishes recommendations on maturing identity, credential, and access management capabilities to improve cyberthreat protections.