​Yahoo’s “password-free” feature in Mail app can mean lockout

Yahoo has revamped its Yahoo Mail app with a new take on sign-in that aims for a frictionless login process with an in-app delivered one-time password— but it’s pretty easy to get locked out.

Yahoo on Thursday took the wraps of its faster and sexier Mail app for iOS and Android. It won’t accept Gmail accounts, but Outlook, AOL Mail and Yahoo users can sign-in and there’s a new desktop experience rolling out to the US ahead of the rest of the world.

The most interesting new feature, security wise, is Yahoo’s Account Key, its effort to deliver a “password-free future”.

As Yahoo points out, passwords are usually simple to hack and easy to forget. Numerous data breaches have shown that people pick easily cracked passwords and often reuse them across multiple accounts. Some people save sensitive information in email accounts, such as passwords to other accounts.

Yahoo promises Account Key will protect users even when they’re passwords are compromised.

“Once you activate Account Key – even if someone gets access to your account info – they can’t sign in,” Dylan Casey, Yahoo VP of product management said.

New Yahoo Mail app users will still need a password to set up an account and should probably take note of them. The catch with activating Account Key is that it can lead to users being locked out.

For example, Medium, the long-form version of Twitter, created by Twitter co-founder Ev Stone, in June introduced a way to sign-in with an email address and no password. It sends a link to a user’s registered email address that, once clicked, will sign the user in. The link expires after a brief period and can only be used once.

One of Google’s authentication systems is its two-step verification code generator, Google Authenticator, which generates a one-time passcode (OTP) in the app that can be used as a second step in supported apps, such as its Gmail app.

Read more: In digital economy's online pwn shops, Australian credentials command a premium

Yahoo’s Account Key straddles both systems. It generates a key — a four digit code that is delivered in the Mail app, as opposed to a separate app like Google Authenticator — that expires after three minutes. The recipient can use this code to sign into their Yahoo Mail on another device, such as a laptop.

The new feature also relies on Yahoo’s recently launched SMS-delivered “on-demand” passwords.

CSO Australia tested the feature when signed out of a Yahoo Mail account on the desktop and found that it appears to live up to the claim.

Setting up Account Key on a mobile device is simple enough and is handled in a demonstration that involves confirming a mobile phone number (for an SMS-delivered one-time passcode that acts as backup authentication) and shows how to view and use the primary Account Key during sign-in.

Read more: Cybersecurity, Meet SAM

If Account Key has been activated and the user is attempting to access their account on a desktop, the password field will vanish upon entering the user’s email address.

It is possible to enter the password first and the username second, however if an attacker knows both credentials, the access attempt is blocked and a notification is sent to the mobile app. The user is asked whether they have attempted to login or not. If not, the attempt on the desktop is aborted. If the user answers ‘yes’, log-in is approved for the desktop browser -- the assumption being that the account holder has control of the mobile device.

However, the user may run into troubles if they are not logged into the Mail app. An account holder who has logged out of the app will not receive an alert on their mobile device if a hacker tries to access an account on the desktop browser with legit credentials despite Yahoo having acquired the user's mobile phone number, which could be used to deliver an alert via SMS.

In this case, the user will be presented on the desktop with an option to use their phone or email to log-in after confirming their phone number by entering the third and fourth last numbers of that phone number. It appeared that a code should be sent via SMS but it wasn’t in our test.

Instead, we were told that for security reasons, we would need to contact Yahoo Customer Care to help reset the password.

Additionally, after attempting to log-in via the mobile app, we were be told that the “account is temporarily locked for security reasons” and that a further attempt can be made to recover the account after 12 hours.

It would seem after this experience that the password will not be that easy to kill.

Join the CSO newsletter!

Error: Please check your email address.

Tags identity management​YahoopasswordAndroidprivacyCSO AustraliaYahoo Mail app

More about AOLCSOGoogleTwitterYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place