5

I (along with a billion or so other people) was notified about my Yahoo! account being potentially compromised yesterday. While I'm not worried about that (I have changed my password since then, have a very long and complex password, and don't reuse it), they did take the time to point out the Yahoo Account Key feature. This is a feature where, when you login, it sends a notification to the Yahoo! app on your mobile phone, and you must approve that before the login can continue.

You'll no longer need to remember complicated passwords when you use Yahoo Account Key to access your account. To sign in, tap "Yes" on the notification we send to your mobile phone. With Account Key enabled, there's no password on your account, so no one other than you can sign in.

This seems similar to the Google TFA option, Google Prompt, which is certainly better than just single-factor authentication. But the difference here is that while Google requires the password AND the prompt, Yahoo does not require the password: so this is single-factor authentication, just a different factor.

How secure is this, compared to a good, complex, long, never reused password? Are there any known methods to subvert mobile phone notifications that could affect something like this?

I have an iOS device, running stock iOS, but welcome answers that include details about phone-side risks for other phones/situations (though would like my scenario covered, preferably). I also have my Yahoo! account connected to my Google account (which is protected with 2FA, using Google Prompt), and back my phone up to iCloud. I have a 6-digit passcode and fingerprint authentication on that. I'm not particularly worried about a targeted attack (I have no particular reason to fear one, not knowing anyone who is sufficiently skilled to do something like this nor having enough valuable information or money to be worth targeting); this is primarily about attacks that are general in nature.

I'm not concerned about understanding the difference in how these work; I have a good understanding of both. I'm focusing here on trying to compare the risks; while I have a good understanding of passwords and the risks inherent in 1FA with passwords, I don't have a good sense of the risks inherent in 1FA with mobile notifications, and how to balance the two.

Joe
  • 209
  • 1
  • 2
  • 8
  • 2
    Are you asking how secure this would be in theory or how secure the implementation could be considering all the security problems Yahoo had in the past? I mean, passwords could be stored secure too and they did not do it. – Steffen Ullrich Dec 15 '16 at 17:30
  • 1
    I am asking as a user, is this something I should choose to use versus my usual password. So I guess some of each? – Joe Dec 15 '16 at 17:31
  • 1
    With this feature the security fully depends on the security of your phone. How much do you trust yourself that nobody has ever access to your unlocked phone and that no malicious software gets installed on the phone? – Steffen Ullrich Dec 15 '16 at 17:37
  • @SteffenUllrich - excellent point about phone security. That is an important consideration. I just updated my answer to include your comment. – TTT Dec 15 '16 at 17:41

1 Answers1

3

As you point out, this is not TFA. It is simply providing you 2 different ways to access your account. You can choose which way you feel is more secure for your situation: a password, or a physical device (such as your phone).

Password advantages: No one should ever be able to gain access to your account via the provided login mechanisms without knowing your password. If your password is sufficiently long and complex such that it can only be guessed via brute force, then even if Yahoo were hacked and password hashes were stolen, it is extremely unlikely that your password would be hacked prior to you being notified that you need to change it.

Password disadvantages: Your password could be compromised without you knowing it. For example, this could happen if you enter in your password from a compromised computer (keylogger) or when using a compromised network (MITM attack) and you happen to click through the browser warning about an invalid certificate. Another (usability, not security) disadvantage is if your password is long and complex, it is annoying to manually enter it in on a computer where your password manager is not installed.

Device Advantages: Someone would need to have physical access to your device in order to login. (Or they must be able to do what you would have to do if you lost your device: reset your password by having access to your email and possibly being able to answer security questions about you). If you have your device on you, then you can be pretty certain no one is currently using your Yahoo account.

Device Disadvantages: If someone gains access to your device, they can easily access your account. Furthermore, if you lose or misplace your device, you will not be able to use your account until you have your device again, or you will have to recover your account with a reset.

As for which is better in your situation, some things to consider:

  • Do you frequently use public or shared computers? Then I would lean towards the Account Key.
  • Is your device frequently left unlocked or using a weak protection algorithm (easy pattern, easy 4 digit passcode)? Then perhaps lean towards a strong password.
  • Do other people have access to your phone that you don't want to have access to your account? Then definitely use a password.

This FAQ page answers questions about how to recover/reset your account.

TTT
  • 9,122
  • 4
  • 19
  • 31
  • 1
    It's not clear to me that the password authentication method would still exist - Yahoo seems to suggest that the password would be done away with. And I understand the differences. I think I have a good sense of how risky 1FA is with passwords; my question is trying to find out how risky 1FA with mobile notifications is, as I just don't know much about how easy that is to 'hack'. – Joe Dec 15 '16 at 18:01
  • @joe - I agree with you. I've updated my answer. – TTT Dec 15 '16 at 23:18