53 comments

[ 4.5 ms ] story [ 118 ms ] thread
This isn't even 1 factor auth, this is 0 factor auth.. unless you accept the pain of disabling text message notifcations on your phone.
It won't be accepted by people. Imagine, what will happen if you forgot your phone with someone you know.
I had an ex with serious trust issues. On at least several occasions they tried to get into my email account. This was back in the flip phone days, but the concern is the same. The Yahoo approach seems like the perfect setup for that sort of abuse.
Assuming one has a smartphone, they don't even need the password to login. They already have access to your mailbox.

If one doesn't have a smartphone, then they need to first find out your email then try to login. By the time that is figured out you might have disabled it by logging to your account from somewhere else.

Some phones show the contents of texts on the lock screen, so people could potentially access your email without unlocking your phone
My phone shows contents of my mail on the lock screen already
My view is about the concept...not about just mail...
I can imagine the time when my phone receives an email to my Yahoo mail, with my email address shown before my phone being unlocked, and the password to login to my mail box is next to it, in the notification.
Configure your phone not to show sensitive information on the lock screen?
This is so bad on Android 5 it's not even funny. When you enable that option it shows the whole list of notifications on the lock screen, each one of them has "sensitive information hidden" underneath, taking up lots of space. I know that sensitive information is hidden, I chose that option, no need to tell me for every single one of my notifications on the lockscreen!!!!
I'm always bothered that the SMSes for 2FA show up on the lock screen... could we not agree on a set of words that can block any message from appearing on the lock screen. Even just anything containing PIN or password would be a good start.
From a general perspective , i see this to be a flaw.

But there are some use-cases where i see it to be useful.One is with old people (in 70s/80s) with little tech. exposure beforehand.They just need the phone with them and they don't care if someone reads/opens their emails from somewhere else for a time or two.

So now less security is better? I'm confused.
Many people are currently hugely insecure because they are too technically illiterate to know any better. Even if this solution is only slightly better than using "James1" as your password on everything, it's still better and more likely to be adopted, and as such would be an improvement.

Ideally, we need systems which are both significantly more secure while still being extremely usable, but I'm not seeing any. Note that I'm saying they need to be more usable for the kind of person that doesn't understand the difference between Google, email, Facebook and the internet - NOT your average Hacker News reader.

Quick question... assuming that this would work on all yahoo services.

Now imagine that I lose my phone, I guess that I will have to ask to receive a reset token, or something similar, on my yahoo mail, right?

But then how do I login on the mail service without my phone?

(it's a honest question)

existing password should still work, also you can give gmail/outlook id as an alternate email to get password reset mail, it works that way right now.
If you lose your phone, somebody would be able to log in to your email, although the problem is less serious in practice. It would require stealing the phone and then doing some nefarious activity with it before the phone and email account are blocked.
I agree with you mostly. Although you are right that most people who steal phones probably would not to do this, thieves and others are becoming more aware. Thieves have friends too and some are even technical, especially people who specifically target phones. Also consider how many people forget they actually have certain accounts. It's not hard to use these accounts as the keys to more things or to use as social engineering tools.

As for the frequency of lost phones, I think it happens more than people know. Ask a friend who works at a restaurant, hotel, store, etc. how many times people accidentally leave or drop phones. With all the things like payments, passwords, personal information, etc. tied to phones, these are becoming treasure troves for people who have any idea of what they are doing. On the plus side, people who don't know what they are doing and spend time online on a stolen phone might be caught easier if the thieves have an idea.

This would be a disaster for those living in repressive/dictatorial regimes. Essentially handing them the keys to your e-mail.
If you live in repressive/dictatorial regime why use yahoo? or gmail?
Most people aren't technically literate or security conscious and will generally use one of the big free e-mail providers.
Most people are ignorant about the capabilities of their regime.

Police and secret service certainly have no qualms and little oversight when it comes to intercept a text message to access your accounts even in 'civilized' countries.

It is less secure than 2 factor auth (since it is 1 factor) but they picked the more secure 1 factor than what is popular right now.

Hopefully they are smart enough to format the txt such that the password doesn't show up in the preview, and if so, in practice, there is almost no downside to this for the vast majority if people (since if the person who now has your phone can log into the phone, the odds are they can already access your email).

I'm not sure. Can you say for a fact that my texts aren't being intercepted or even saved by the phone company?
They can be easily intercepted by anyone near your phone with TI Calypso based phone, like Openmoko Neo Freerunner or old Motorola phones. Of course there are also dedicated pieces of hardware for that.
I noticed Twitter did something similar the other day. I was trying to login from my phone, and after two failed login attempts, I got an email with a confirmation code that I could enter into the Twitter app (on my android phone) to login. The email said I could also use this "code" in place of my password.

> We noticed that someone recently tried to sign in to your Twitter account (...)

> If this was you, confirm your identity by using this temporary code: (....)

> You can also enter this code where you would normally enter your password when you sign in.

I couldn't tell whether the email was sent because the second password attempt was successful or because it wasn't successful.

I was about to post this, thank you for doing so.

Seriously? What could they be thinking? The entire premise of 2-factor - in most cases, something you know and something you have - is that if someone steals/guesses/social hacks my secret, they don't have my keyfob (or phone); if someone steals my keyfob or phone, they don't have my secret knowledge. The probability of losing both is much lower than either.

But using just one factor, and one that goes across insecure networks, and is visible on my phone even on the lock screen? And I cannot use it if I have mobile issues? Really??

(comment deleted)
Except this basically leaves the passwords in the hands of the companies. It's like Yahoo saying "you don't need a password anymore, we'll just create one on the spot for you".

That's not what I imagined for a passwordless world. I don't want the companies to basically keep the passwords for me. I'd much rather put my trust in fingerprint scanners or other biometrics.

You can't change biometrics, ever. You can spoof them, same as a text password can be cracked. They're HORRIBLE factors.
They won't even need to bother. State-level actors usually have access to the phone company networks.
Two-factor authentication is far superior. But I might be willing to concede that one factor authentication (using something you have) is about as good as one factor authentication (using something you know). Especially since password guessing is at or better than actual practice by real humans in password selection and security.
Perhaps the other factor of 2FA is rather optimistically your yahoo username.

Somebody online would know my yahoo id, but only a microscopic fraction of online people would have physical access to steal my phone.

Someone who steals my phone would almost certainly have no idea what my yahoo login name is. I would have to look it up myself just to make sure...

The intersection would be close friends and family members, and if I can't trust them, then I'm totally screwed aside from mere yahoo groups login issues.

If Yahoo really thinks that, they have issues with security... oh wait, they do! :-)
Lots of negativity about this here, but let's take a step back and look at something:

When you lose your password to an account, how do you reset it? With your email (in the case of Yahoo, with your backup email). Which, if someone has your unlocked phone, is likely already compromised as part of the unlocked phone.

Sending an OTP via SMS doesn't really open up any new avenues of attack, if they already have your unlocked phone.

Now then, if you're displaying all text messages via lock screen, why have a lock screen at all? Sure, it protects the rest of your phone from intrusion, but it's leaking what should be considered private information to anyone who has it. You're probably also getting email summaries, chat summaries, and upcoming meetings as well.

The problem here is that for Android and iPhone, I have the option to lock down the device using Android Device Manager or Find My iPhone.

However, I can still pull out a SIM card and put it on a different phone.

That's the difference.

The SIM card is pin-locked. If not, you have as big or bigger problem at hand.
Your wireless provider can't/won't deactivate a SIM card if the phone is stolen?
Agreed. You are only ever as secure as your weakest link. If someone else has your device that is not protected by a pin and you are not able to remotely wipe or lock, then you probably have bigger problems.

I like seeing these sorts of solutions put to use. It will be even more user friendly with the use of Apple Watch, as an example, if you are accessing your account on something other than your phone.

Now, email is a pretty important thing, so it may not be the best place to experiment with new login methods. I like the way searchpath.io uses email authentication, rather than passwords, and I am implementing something similar for a side project.

If they add a first factor (4 digits PIN code) and this as a second factor, then I think we have a winner. The PIN code will protect you from insecure networks, losing your phone, theft and it's easy to remember.

The PIN code is a weak link, but doesn’t do much without your phone. Your phone is a weak link, but you won’t get the SMS without the PIN code. Chained together they’re almost stupid and fail proof.

I think folks overestimate a) how often physical theft actually takes place and b) the level of sophistication that folks who steal your phone are going to have.

In order for me to use the "thing I have" to get into your account, I'd need to know your account. The number of targeted thefts that take place are really low, compared to the number of folks who run around with "password" or "letmein" as their "thing they know".

The threat model for Joe User is just not that complex, is all I'm saying. For Paranoia User, options should certainly exist, but for her brother Joe, it's not very necessary.

Hello Yahoo, First of all please stop asking my phone number to register email.
Doesn't work with VoIP numbers e.g. Google Voice, so that's a non-starter for me.
Instead of sending a SMS message to their phone, could Yahoo send a push notification (with TextSecure support)?

I'd like to see this. I'd love to help make it happen.

For my use case this is less secure because I keep my computers clean of malware, and my hard drives encrypted. I don't reuse passwords and I don't log into my account from devices I don't own. My phone, on the other hand is easy to steal. Anyone who has my sim card can use it to log in. I've also heard it's trivial to use social engineering to redirect a phone number with some carriers. Also, I often don't have signal in buildings, so that makes this option useless.

For other people the SMS option might be better. They let you choose which one you want to use. I guess we'll hear about the results of this experiment later on.

They need on-demand email addresses too, then. Because I don't remember my yahoo email address, either. That's how long it's been since I've signed in.

Maybe every other month for one reason or another I'm prompted to sign-in to Yahoo. I sit there for a frustrated three seconds wanting to punch the screen and then just close the page. Can't remember the email address, know I won't be able to remember the password and no way I'm dealing with creating a new account.

I have forgotten mine years ago already.
Best thing would be using a password protected key like in SSH. It should be baked in to SSL somehow to make it easier to password protect web apps.

It's a bit ironic that Yahoo changed their password policy so that I need to have at least two numbers and different caps and something like max ten characters. Making it impossible to remember the password.

I always use something like "magicunicornridingsousages" witch I find both easy to remember and long enough to prevent brute force. Too bad Yahoo wont allow it.

I forgot my yahoo password long ago, I had used my yahoo account to register a domain name. At the time, I agreed to allow recurring billing (though I don't consciously remember doing this). After a few years of seeing the recurring charge on my bank statement, I called to get a debit card with a new number. They sent me a new card with the same number (but new expirey). After discovering a fresh charge in the next yearly cycle, I called my bank to "contest" the charges. They asked if I had talked to them (the vendor, Yahoo in this case) or otherwise explicitly cancelled my "subscription" and told them I had no way of recovering my account information and wasn't about to navigate their phone-based customer service. My bank did absolutely nothing to help me. Moving forward, I've sought to minimize any form of accounts following this paradigm. Getting rid of passwords is great, long over due, but there are bigger problems with these organizations.
Now how many usernames do I need to know to get access to atleast one of them?

4 digits = 10000 usernames, with luck only half of them.

This is a gift to hackers, government snoops, and the like: access is now granted to anyone with the trivial ability to intercept SMS messages, spoof cell towers (Stingrays), or clone SIM cards.
This is awesome, as long as you have phone service and have your phone with you. While I want my stuff to be secure, a hacker, nor government snooping isn't the highest priority. Allowing me to access my stuff is the highest priority. Passwords are a pain, but this isn't the solution (nor are biometrics)