Security Experts:

Connect with us

Hi, what are you looking for?


Email Security

Is Yahoo’s New Account Key the Future of Authentication?

Rumors of the password’s demise have been greatly exaggerated over the years. As security professionals, we know how fragile they are in the hands of talented hackers, and how much users revile them, yet their ubiquity has proven stubborn to dislodge.

Rumors of the password’s demise have been greatly exaggerated over the years. As security professionals, we know how fragile they are in the hands of talented hackers, and how much users revile them, yet their ubiquity has proven stubborn to dislodge.

Last week, Yahoo introduced “Account Key”, which uses push notifications to their Yahoo Mail app on mobile devices. You can read more about the new approach, but in a nutshell; the notifications present the user with simple yes or no buttons to allow or deny login to Yahoo Mail on any other device (such as your desktop). You still have to type in your account name on, but Yahoo Mail immediately recognizes the account as enabled for Account Key and launches the notification via the app on that users’ pre-registered mobile device.

Passwordless AuthenticationWhat’s different in this approach is that it takes full advantage of the availability and power of mobile devices. Availability, in the sense that a significantly large percentage of Yahoo Mail users possess a mobile device, at least partially addressing the ubiquity need that has kept passwords entrenched. Power, in the sense that it simplifies the user interaction to a new minimum, taking care of the authentication handshakes in the background.

What about one-time passwords?

Yes, we already have one-time password apps or SMS that provide codes on mobile devices. But those require the user to enter that code on another device, making it less user-friendly than entering a password in the first place. Rather than make the user manually transfer a code from one device to the other to prove that they are in possession of the device, this approach takes care of that for them.

Is it really more secure?

Yahoo claims that it is, stating that “passwords are usually simple to hack”, but once you have Account Key, “even if someone gets access to your account info – they can’t sign in.” What is unknown is how the interaction between the app and Yahoo’s servers is managed. Is the user approval encrypted, for example? How susceptible would this be to a man in the middle attack?

Regardless, Yahoo has a point. Passwords are more susceptible to undetected theft than physical devices. But we can’t know for certain how much more secure this approach is until we know the architecture details.

Does this replace two-factor authentication?

The simple answer is no. Account Key relies only on something you have. Where the confusion may lie is that typical use of mobile device authentication is in addition to a password, which would be a combination of something you have and something you know. Because this method relies only on a single factor, it would not satisfy requirements for two-factor authentication by itself.

It should be made clear that this first iteration is for accessing Yahoo Mail only. Yahoo states that they will be rolling out Account Key to other Yahoo apps later this year. But if Account Key only ever supports the Yahoo ecosystem, then an opportunity will be missed.

The real value would be to extend Account Key as a service to provide access to apps provided by third parties. Perhaps there are efforts to make that happen already in progress. But Yahoo has shown the way – a technology that is both user friendly and secure has a great chance of finally eradicating the password and becoming the authentication technology of the future.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...