Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Is Yahoo’s New Account Key the Future of Authentication?

Rumors of the password’s demise have been greatly exaggerated over the years. As security professionals, we know how fragile they are in the hands of talented hackers, and how much users revile them, yet their ubiquity has proven stubborn to dislodge.

Rumors of the password’s demise have been greatly exaggerated over the years. As security professionals, we know how fragile they are in the hands of talented hackers, and how much users revile them, yet their ubiquity has proven stubborn to dislodge.

Last week, Yahoo introduced “Account Key”, which uses push notifications to their Yahoo Mail app on mobile devices. You can read more about the new approach, but in a nutshell; the notifications present the user with simple yes or no buttons to allow or deny login to Yahoo Mail on any other device (such as your desktop). You still have to type in your account name on yahoo.com, but Yahoo Mail immediately recognizes the account as enabled for Account Key and launches the notification via the app on that users’ pre-registered mobile device.

Passwordless AuthenticationWhat’s different in this approach is that it takes full advantage of the availability and power of mobile devices. Availability, in the sense that a significantly large percentage of Yahoo Mail users possess a mobile device, at least partially addressing the ubiquity need that has kept passwords entrenched. Power, in the sense that it simplifies the user interaction to a new minimum, taking care of the authentication handshakes in the background.

What about one-time passwords?

Yes, we already have one-time password apps or SMS that provide codes on mobile devices. But those require the user to enter that code on another device, making it less user-friendly than entering a password in the first place. Rather than make the user manually transfer a code from one device to the other to prove that they are in possession of the device, this approach takes care of that for them.

Is it really more secure?

Yahoo claims that it is, stating that “passwords are usually simple to hack”, but once you have Account Key, “even if someone gets access to your account info – they can’t sign in.” What is unknown is how the interaction between the app and Yahoo’s servers is managed. Is the user approval encrypted, for example? How susceptible would this be to a man in the middle attack?

Regardless, Yahoo has a point. Passwords are more susceptible to undetected theft than physical devices. But we can’t know for certain how much more secure this approach is until we know the architecture details.

Does this replace two-factor authentication?

Advertisement. Scroll to continue reading.

The simple answer is no. Account Key relies only on something you have. Where the confusion may lie is that typical use of mobile device authentication is in addition to a password, which would be a combination of something you have and something you know. Because this method relies only on a single factor, it would not satisfy requirements for two-factor authentication by itself.

It should be made clear that this first iteration is for accessing Yahoo Mail only. Yahoo states that they will be rolling out Account Key to other Yahoo apps later this year. But if Account Key only ever supports the Yahoo ecosystem, then an opportunity will be missed.

The real value would be to extend Account Key as a service to provide access to apps provided by third parties. Perhaps there are efforts to make that happen already in progress. But Yahoo has shown the way – a technology that is both user friendly and secure has a great chance of finally eradicating the password and becoming the authentication technology of the future.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights