Yahoo's new option to replace pw with code via SMS.
I'm putting my money on this not lasting that long. What are your thoughts?
1) This isn't multi or two factor authentication. They're trying to sell it as two factor. It isn't something you have or something you know. It is something you're 'sent' that is susceptible to MITM. SMS isn't even encrypted! SMS isn't intended for secure messages and is always sent in plain text.
2) Being creative and innovative is good and this certainly sounds attractive for the millions. But because it'll be so easily hacked the millions will quickly turn on it.
3) Someone has access to your phone and now they got your email too.
Just my 2c.
https://www.yahoo.com/tech/yahoo-introduces-on-demand-passwords-uses-your-113794671449.html
1) This isn't multi or two factor authentication. They're trying to sell it as two factor. It isn't something you have or something you know. It is something you're 'sent' that is susceptible to MITM. SMS isn't even encrypted! SMS isn't intended for secure messages and is always sent in plain text.
2) Being creative and innovative is good and this certainly sounds attractive for the millions. But because it'll be so easily hacked the millions will quickly turn on it.
3) Someone has access to your phone and now they got your email too.
Just my 2c.
https://www.yahoo.com/tech/yahoo-introduces-on-demand-passwords-uses-your-113794671449.html
2015 Goals: Masters in Cyber Security
Failed to load the poll.
Comments
-
iBrokeIT Member Posts: 1,318 ■■■■■■■■■□How is this different than what Google or Microsoft do with two factor for their accounts?2019: GPEN | GCFE | GXPN | GICSP | CySA+
2020: GCIP | GCIA
2021: GRID | GDSA | Pentest+
2022: GMON | GDAT
2023: GREM | GSE | GCFA
WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops | SANS Grad Cert: Incident Response -
dou2ble Member Posts: 160How is this different than what Google or Microsoft do with two factor for their accounts?
They both offer username, pw and an option to add the code via SMS. This adds a second verification step. Yahoo is replacing pw with code via SMS. Very different.2015 Goals: Masters in Cyber Security -
Priston Member Posts: 999 ■■■■□□□□□□OP, why no link? It might make it easier for everyone to understand what your talking about.
https://www.yahoo.com/tech/yahoo-introduces-on-demand-passwords-uses-your-113794671449.html
If it's really only a 4 character password I wonder what they're thinking.A.A.S. in Networking Technologies
A+, Network+, CCNA -
dou2ble Member Posts: 160OP, why no link? It might make it easier for everyone to understand what your talking about.
https://www.yahoo.com/tech/yahoo-introduces-on-demand-passwords-uses-your-113794671449.html
If it's really only a 4 character password I wonder what they're thinking.
Thanks! I'll add it now. I think they want to become famous like Sony and Target.2015 Goals: Masters in Cyber Security -
veritas_libertas Member Posts: 5,746 ■■■■■■■■■■Seems to me like it's moving the risk, not lowering it. Now all I need is your phone? I'm not sure how this works based on the web site. Maybe after you log-in, ever site that is tied (federated) to your Yahoo account will make you type in the password that is sent to you by text?
-
varelg Banned Posts: 790The trick is to get your phone number and then sell it to telemarketers. There's nothing there that says "Yahoo taking care of security of its clients"...
Everything AOL portal used to be is now how it is with Yahoo. -
wd40 Member Posts: 1,017 ■■■■□□□□□□veritas_libertas wrote: »Seems to me like it's moving the risk, not lowering it. Now all I need is your phone? I'm not sure how this works based on the web site. Maybe after you log-in, ever site that is tied (federated) to your Yahoo account will make you type in the password that is sent to you by text?
If you have my phone (and can unlock it) you will have access to all my e-mails accounts + some other sites / apps, no need to wait for an SMS from Yahoo!
This is a scary thought, I need a stronger password for my phone -
Priston Member Posts: 999 ■■■■□□□□□□With notifications enabled on the locked screen, you might be able to see it displayed without unlocking it...A.A.S. in Networking Technologies
A+, Network+, CCNA -
dou2ble Member Posts: 160Here's an interesting article on GSM encryption. It was written in 2012 and says that in the US we use A5/1. "A5/1 is stronger, but not very strong. It uses a 64-bit key". Not sure if the encryption standard used has gotten better. This article also talks about SMS interception and MITM.
encryption - How hard is it to intercept SMS (two-factor authentication)? - Information Security Stack Exchange
This next article written in 2013 states that GSM encryption was hacked years ago so CDMA is considered more secure but not impenetrable and end to end encryption is recommended.
phone - Which is safer, GSM or CDMA? - Information Security Stack Exchange2015 Goals: Masters in Cyber Security