I had an ex with serious trust issues. On at least several occasions they tried to get into my email account. This was back in the flip phone days, but the concern is the same. The Yahoo approach seems like the perfect setup for that sort of abuse.
Assuming one has a smartphone, they don't even need the password to login. They already have access to your mailbox.
If one doesn't have a smartphone, then they need to first find out your email then try to login. By the time that is figured out you might have disabled it by logging to your account from somewhere else.
I can imagine the time when my phone receives an email to my Yahoo mail, with my email address shown before my phone being unlocked, and the password to login to my mail box is next to it, in the notification.
This is so bad on Android 5 it's not even funny. When you enable that option it shows the whole list of notifications on the lock screen, each one of them has "sensitive information hidden" underneath, taking up lots of space. I know that sensitive information is hidden, I chose that option, no need to tell me for every single one of my notifications on the lockscreen!!!!
I'm always bothered that the SMSes for 2FA show up on the lock screen... could we not agree on a set of words that can block any message from appearing on the lock screen. Even just anything containing PIN or password would be a good start.
From a general perspective , i see this to be a flaw.
But there are some use-cases where i see it to be useful.One is with old people (in 70s/80s) with little tech. exposure beforehand.They just need the phone with them and they don't care if someone reads/opens their emails from somewhere else for a time or two.
Many people are currently hugely insecure because they are too technically illiterate to know any better. Even if this solution is only slightly better than using "James1" as your password on everything, it's still better and more likely to be adopted, and as such would be an improvement.
Ideally, we need systems which are both significantly more secure while still being extremely usable, but I'm not seeing any. Note that I'm saying they need to be more usable for the kind of person that doesn't understand the difference between Google, email, Facebook and the internet - NOT your average Hacker News reader.
If you lose your phone, somebody would be able to log in to your email, although the problem is less serious in practice. It would require stealing the phone and then doing some nefarious activity with it before the phone and email account are blocked.
I agree with you mostly. Although you are right that most people who steal phones probably would not to do this, thieves and others are becoming more aware. Thieves have friends too and some are even technical, especially people who specifically target phones. Also consider how many people forget they actually have certain accounts. It's not hard to use these accounts as the keys to more things or to use as social engineering tools.
As for the frequency of lost phones, I think it happens more than people know. Ask a friend who works at a restaurant, hotel, store, etc. how many times people accidentally leave or drop phones. With all the things like payments, passwords, personal information, etc. tied to phones, these are becoming treasure troves for people who have any idea of what they are doing. On the plus side, people who don't know what they are doing and spend time online on a stolen phone might be caught easier if the thieves have an idea.
Most people are ignorant about the capabilities of their regime.
Police and secret service certainly have no qualms and little oversight when it comes to intercept a text message to access your accounts even in 'civilized' countries.
It is less secure than 2 factor auth (since it is 1 factor) but they picked the more secure 1 factor than what is popular right now.
Hopefully they are smart enough to format the txt such that the password doesn't show up in the preview, and if so, in practice, there is almost no downside to this for the vast majority if people (since if the person who now has your phone can log into the phone, the odds are they can already access your email).
They can be easily intercepted by anyone near your phone with TI Calypso based phone, like Openmoko Neo Freerunner or old Motorola phones. Of course there are also dedicated pieces of hardware for that.
I noticed Twitter did something similar the other day. I was trying to login from my phone, and after two failed login attempts, I got an email with a confirmation code that I could enter into the Twitter app (on my android phone) to login. The email said I could also use this "code" in place of my password.
> We noticed that someone recently tried to sign in to your Twitter account (...)
> If this was you, confirm your identity by using this temporary code: (....)
> You can also enter this code where you would normally enter your password when you sign in.
I couldn't tell whether the email was sent because the second password attempt was successful or because it wasn't successful.
Seriously? What could they be thinking? The entire premise of 2-factor - in most cases, something you know and something you have - is that if someone steals/guesses/social hacks my secret, they don't have my keyfob (or phone); if someone steals my keyfob or phone, they don't have my secret knowledge. The probability of losing both is much lower than either.
But using just one factor, and one that goes across insecure networks, and is visible on my phone even on the lock screen? And I cannot use it if I have mobile issues? Really??
Except this basically leaves the passwords in the hands of the companies. It's like Yahoo saying "you don't need a password anymore, we'll just create one on the spot for you".
That's not what I imagined for a passwordless world. I don't want the companies to basically keep the passwords for me. I'd much rather put my trust in fingerprint scanners or other biometrics.
Two-factor authentication is far superior. But I might be willing to concede that one factor authentication (using something you have) is about as good as one factor authentication (using something you know). Especially since password guessing is at or better than actual practice by real humans in password selection and security.
Perhaps the other factor of 2FA is rather optimistically your yahoo username.
Somebody online would know my yahoo id, but only a microscopic fraction of online people would have physical access to steal my phone.
Someone who steals my phone would almost certainly have no idea what my yahoo login name is. I would have to look it up myself just to make sure...
The intersection would be close friends and family members, and if I can't trust them, then I'm totally screwed aside from mere yahoo groups login issues.
Lots of negativity about this here, but let's take a step back and look at something:
When you lose your password to an account, how do you reset it? With your email (in the case of Yahoo, with your backup email). Which, if someone has your unlocked phone, is likely already compromised as part of the unlocked phone.
Sending an OTP via SMS doesn't really open up any new avenues of attack, if they already have your unlocked phone.
Now then, if you're displaying all text messages via lock screen, why have a lock screen at all? Sure, it protects the rest of your phone from intrusion, but it's leaking what should be considered private information to anyone who has it. You're probably also getting email summaries, chat summaries, and upcoming meetings as well.
Agreed. You are only ever as secure as your weakest link. If someone else has your device that is not protected by a pin and you are not able to remotely wipe or lock, then you probably have bigger problems.
I like seeing these sorts of solutions put to use. It will be even more user friendly with the use of Apple Watch, as an example, if you are accessing your account on something other than your phone.
Now, email is a pretty important thing, so it may not be the best place to experiment with new login methods. I like the way searchpath.io uses email authentication, rather than passwords, and I am implementing something similar for a side project.
If they add a first factor (4 digits PIN code) and this as a second factor, then I think we have a winner. The PIN code will protect you from insecure networks, losing your phone, theft and it's easy to remember.
The PIN code is a weak link, but doesn’t do much without your phone. Your phone is a weak link, but you won’t get the SMS without the PIN code. Chained together they’re almost stupid and fail proof.
I think folks overestimate a) how often physical theft actually takes place and b) the level of sophistication that folks who steal your phone are going to have.
In order for me to use the "thing I have" to get into your account, I'd need to know your account. The number of targeted thefts that take place are really low, compared to the number of folks who run around with "password" or "letmein" as their "thing they know".
The threat model for Joe User is just not that complex, is all I'm saying. For Paranoia User, options should certainly exist, but for her brother Joe, it's not very necessary.
For my use case this is less secure because I keep my computers clean of malware, and my hard drives encrypted. I don't reuse passwords and I don't log into my account from devices I don't own. My phone, on the other hand is easy to steal. Anyone who has my sim card can use it to log in. I've also heard it's trivial to use social engineering to redirect a phone number with some carriers. Also, I often don't have signal in buildings, so that makes this option useless.
For other people the SMS option might be better. They let you choose which one you want to use. I guess we'll hear about the results of this experiment later on.
They need on-demand email addresses too, then. Because I don't remember my yahoo email address, either. That's how long it's been since I've signed in.
Maybe every other month for one reason or another I'm prompted to sign-in to Yahoo. I sit there for a frustrated three seconds wanting to punch the screen and then just close the page. Can't remember the email address, know I won't be able to remember the password and no way I'm dealing with creating a new account.
Best thing would be using a password protected key like in SSH. It should be baked in to SSL somehow to make it easier to password protect web apps.
It's a bit ironic that Yahoo changed their password policy so that I need to have at least two numbers and different caps and something like max ten characters. Making it impossible to remember the password.
I always use something like "magicunicornridingsousages" witch I find both easy to remember and long enough to prevent brute force. Too bad Yahoo wont allow it.
I forgot my yahoo password long ago, I had used my yahoo account to register a domain name. At the time, I agreed to allow recurring billing (though I don't consciously remember doing this). After a few years of seeing the recurring charge on my bank statement, I called to get a debit card with a new number. They sent me a new card with the same number (but new expirey). After discovering a fresh charge in the next yearly cycle, I called my bank to "contest" the charges. They asked if I had talked to them (the vendor, Yahoo in this case) or otherwise explicitly cancelled my "subscription" and told them I had no way of recovering my account information and wasn't about to navigate their phone-based customer service. My bank did absolutely nothing to help me. Moving forward, I've sought to minimize any form of accounts following this paradigm. Getting rid of passwords is great, long over due, but there are bigger problems with these organizations.
This is a gift to hackers, government snoops, and the like: access is now granted to anyone with the trivial ability to intercept SMS messages, spoof cell towers (Stingrays), or clone SIM cards.
This is awesome, as long as you have phone service and have your phone with you.
While I want my stuff to be secure, a hacker, nor government snooping isn't the highest priority. Allowing me to access my stuff is the highest priority.
Passwords are a pain, but this isn't the solution (nor are biometrics)
53 comments
[ 4.5 ms ] story [ 118 ms ] threadIf one doesn't have a smartphone, then they need to first find out your email then try to login. By the time that is figured out you might have disabled it by logging to your account from somewhere else.
But there are some use-cases where i see it to be useful.One is with old people (in 70s/80s) with little tech. exposure beforehand.They just need the phone with them and they don't care if someone reads/opens their emails from somewhere else for a time or two.
Ideally, we need systems which are both significantly more secure while still being extremely usable, but I'm not seeing any. Note that I'm saying they need to be more usable for the kind of person that doesn't understand the difference between Google, email, Facebook and the internet - NOT your average Hacker News reader.
Now imagine that I lose my phone, I guess that I will have to ask to receive a reset token, or something similar, on my yahoo mail, right?
But then how do I login on the mail service without my phone?
(it's a honest question)
As for the frequency of lost phones, I think it happens more than people know. Ask a friend who works at a restaurant, hotel, store, etc. how many times people accidentally leave or drop phones. With all the things like payments, passwords, personal information, etc. tied to phones, these are becoming treasure troves for people who have any idea of what they are doing. On the plus side, people who don't know what they are doing and spend time online on a stolen phone might be caught easier if the thieves have an idea.
Police and secret service certainly have no qualms and little oversight when it comes to intercept a text message to access your accounts even in 'civilized' countries.
Hopefully they are smart enough to format the txt such that the password doesn't show up in the preview, and if so, in practice, there is almost no downside to this for the vast majority if people (since if the person who now has your phone can log into the phone, the odds are they can already access your email).
> We noticed that someone recently tried to sign in to your Twitter account (...)
> If this was you, confirm your identity by using this temporary code: (....)
> You can also enter this code where you would normally enter your password when you sign in.
I couldn't tell whether the email was sent because the second password attempt was successful or because it wasn't successful.
Seriously? What could they be thinking? The entire premise of 2-factor - in most cases, something you know and something you have - is that if someone steals/guesses/social hacks my secret, they don't have my keyfob (or phone); if someone steals my keyfob or phone, they don't have my secret knowledge. The probability of losing both is much lower than either.
But using just one factor, and one that goes across insecure networks, and is visible on my phone even on the lock screen? And I cannot use it if I have mobile issues? Really??
That's not what I imagined for a passwordless world. I don't want the companies to basically keep the passwords for me. I'd much rather put my trust in fingerprint scanners or other biometrics.
I should submit it directly to HN...
Somebody online would know my yahoo id, but only a microscopic fraction of online people would have physical access to steal my phone.
Someone who steals my phone would almost certainly have no idea what my yahoo login name is. I would have to look it up myself just to make sure...
The intersection would be close friends and family members, and if I can't trust them, then I'm totally screwed aside from mere yahoo groups login issues.
When you lose your password to an account, how do you reset it? With your email (in the case of Yahoo, with your backup email). Which, if someone has your unlocked phone, is likely already compromised as part of the unlocked phone.
Sending an OTP via SMS doesn't really open up any new avenues of attack, if they already have your unlocked phone.
Now then, if you're displaying all text messages via lock screen, why have a lock screen at all? Sure, it protects the rest of your phone from intrusion, but it's leaking what should be considered private information to anyone who has it. You're probably also getting email summaries, chat summaries, and upcoming meetings as well.
However, I can still pull out a SIM card and put it on a different phone.
That's the difference.
I like seeing these sorts of solutions put to use. It will be even more user friendly with the use of Apple Watch, as an example, if you are accessing your account on something other than your phone.
Now, email is a pretty important thing, so it may not be the best place to experiment with new login methods. I like the way searchpath.io uses email authentication, rather than passwords, and I am implementing something similar for a side project.
The PIN code is a weak link, but doesn’t do much without your phone. Your phone is a weak link, but you won’t get the SMS without the PIN code. Chained together they’re almost stupid and fail proof.
In order for me to use the "thing I have" to get into your account, I'd need to know your account. The number of targeted thefts that take place are really low, compared to the number of folks who run around with "password" or "letmein" as their "thing they know".
The threat model for Joe User is just not that complex, is all I'm saying. For Paranoia User, options should certainly exist, but for her brother Joe, it's not very necessary.
I'd like to see this. I'd love to help make it happen.
For other people the SMS option might be better. They let you choose which one you want to use. I guess we'll hear about the results of this experiment later on.
Maybe every other month for one reason or another I'm prompted to sign-in to Yahoo. I sit there for a frustrated three seconds wanting to punch the screen and then just close the page. Can't remember the email address, know I won't be able to remember the password and no way I'm dealing with creating a new account.
It's a bit ironic that Yahoo changed their password policy so that I need to have at least two numbers and different caps and something like max ten characters. Making it impossible to remember the password.
I always use something like "magicunicornridingsousages" witch I find both easy to remember and long enough to prevent brute force. Too bad Yahoo wont allow it.
4 digits = 10000 usernames, with luck only half of them.