Yahoo's new option to replace pw with code via SMS.

dou2ble

I'm putting my money on this not lasting that long. What are your thoughts?

1) This isn't multi or two factor authentication. They're trying to sell it as two factor. It isn't something you have or something you know. It is something you're 'sent' that is susceptible to MITM. SMS isn't even encrypted! SMS isn't intended for secure messages and is always sent in plain text.

2) Being creative and innovative is good and this certainly sounds attractive for the millions. But because it'll be so easily hacked the millions will quickly turn on it.

3) Someone has access to your phone and now they got your email too.

Just my 2c.

https://www.yahoo.com/tech/yahoo-introduces-on-demand-passwords-uses-your-113794671449.html

iBrokeIT

How is this different than what Google or Microsoft do with two factor for their accounts?

dou2ble

iBrokeIT wrote: »

How is this different than what Google or Microsoft do with two factor for their accounts?

They both offer username, pw and an option to add the code via SMS. This adds a second verification step. Yahoo is replacing pw with code via SMS. Very different.

Priston

OP, why no link? It might make it easier for everyone to understand what your talking about.
https://www.yahoo.com/tech/yahoo-introduces-on-demand-passwords-uses-your-113794671449.html

If it's really only a 4 character password I wonder what they're thinking.

dou2ble

Priston wrote: »

OP, why no link? It might make it easier for everyone to understand what your talking about.
https://www.yahoo.com/tech/yahoo-introduces-on-demand-passwords-uses-your-113794671449.html

If it's really only a 4 character password I wonder what they're thinking.

Thanks! I'll add it now. I think they want to become famous like Sony and Target.

veritas_libertas

Seems to me like it's moving the risk, not lowering it. Now all I need is your phone? I'm not sure how this works based on the web site. Maybe after you log-in, ever site that is tied (federated) to your Yahoo account will make you type in the password that is sent to you by text?

varelg

The trick is to get your phone number and then sell it to telemarketers. There's nothing there that says "Yahoo taking care of security of its clients"...
Everything AOL portal used to be is now how it is with Yahoo.

wd40

veritas_libertas wrote: »

Seems to me like it's moving the risk, not lowering it. Now all I need is your phone? I'm not sure how this works based on the web site. Maybe after you log-in, ever site that is tied (federated) to your Yahoo account will make you type in the password that is sent to you by text?

If you have my phone (and can unlock it) you will have access to all my e-mails accounts + some other sites / apps, no need to wait for an SMS from Yahoo!

This is a scary thought, I need a stronger password for my phone

Priston

With notifications enabled on the locked screen, you might be able to see it displayed without unlocking it...

dou2ble

Here's an interesting article on GSM encryption. It was written in 2012 and says that in the US we use A5/1. "A5/1 is stronger, but not very strong. It uses a 64-bit key". Not sure if the encryption standard used has gotten better. This article also talks about SMS interception and MITM.
encryption - How hard is it to intercept SMS (two-factor authentication)? - Information Security Stack Exchange

This next article written in 2013 states that GSM encryption was hacked years ago so CDMA is considered more secure but not impenetrable and end to end encryption is recommended.
phone - Which is safer, GSM or CDMA? - Information Security Stack Exchange