Yahoo's new option to replace pw with code via SMS.

dou2bledou2ble Member Posts: 160
I'm putting my money on this not lasting that long. What are your thoughts?

1) This isn't multi or two factor authentication. They're trying to sell it as two factor. It isn't something you have or something you know. It is something you're 'sent' that is susceptible to MITM. SMS isn't even encrypted! SMS isn't intended for secure messages and is always sent in plain text.

2) Being creative and innovative is good and this certainly sounds attractive for the millions. But because it'll be so easily hacked the millions will quickly turn on it.

3) Someone has access to your phone and now they got your email too.

Just my 2c.

https://www.yahoo.com/tech/yahoo-introduces-on-demand-passwords-uses-your-113794671449.html
2015 Goals: Masters in Cyber Security
Failed to load the poll.

Comments

  • iBrokeITiBrokeIT Member Posts: 1,318 ■■■■■■■■■□
    How is this different than what Google or Microsoft do with two factor for their accounts?
    2019: GPEN | GCFE | GXPN | GICSP | CySA+ 
    2020: GCIP | GCIA 
    2021: GRID | GDSA | Pentest+ 
    2022: GMON | GDAT
    2023: GREM  | GSE | GCFA

    WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops SANS Grad Cert: Incident Response
  • dou2bledou2ble Member Posts: 160
    iBrokeIT wrote: »
    How is this different than what Google or Microsoft do with two factor for their accounts?

    They both offer username, pw and an option to add the code via SMS. This adds a second verification step. Yahoo is replacing pw with code via SMS. Very different.
    2015 Goals: Masters in Cyber Security
  • PristonPriston Member Posts: 999 ■■■■□□□□□□
    OP, why no link? It might make it easier for everyone to understand what your talking about.
    https://www.yahoo.com/tech/yahoo-introduces-on-demand-passwords-uses-your-113794671449.html

    If it's really only a 4 character password I wonder what they're thinking.
    A.A.S. in Networking Technologies
    A+, Network+, CCNA
  • dou2bledou2ble Member Posts: 160
    Priston wrote: »
    OP, why no link? It might make it easier for everyone to understand what your talking about.
    https://www.yahoo.com/tech/yahoo-introduces-on-demand-passwords-uses-your-113794671449.html

    If it's really only a 4 character password I wonder what they're thinking.

    Thanks! I'll add it now. I think they want to become famous like Sony and Target.
    2015 Goals: Masters in Cyber Security
  • veritas_libertasveritas_libertas Member Posts: 5,746 ■■■■■■■■■■
    Seems to me like it's moving the risk, not lowering it. Now all I need is your phone? I'm not sure how this works based on the web site. Maybe after you log-in, ever site that is tied (federated) to your Yahoo account will make you type in the password that is sent to you by text?
  • varelgvarelg Banned Posts: 790
    The trick is to get your phone number and then sell it to telemarketers. There's nothing there that says "Yahoo taking care of security of its clients"...
    Everything AOL portal used to be is now how it is with Yahoo.
  • wd40wd40 Member Posts: 1,017 ■■■■□□□□□□
    Seems to me like it's moving the risk, not lowering it. Now all I need is your phone? I'm not sure how this works based on the web site. Maybe after you log-in, ever site that is tied (federated) to your Yahoo account will make you type in the password that is sent to you by text?

    If you have my phone (and can unlock it) you will have access to all my e-mails accounts + some other sites / apps, no need to wait for an SMS from Yahoo!

    This is a scary thought, I need a stronger password for my phone :D
  • PristonPriston Member Posts: 999 ■■■■□□□□□□
    With notifications enabled on the locked screen, you might be able to see it displayed without unlocking it...
    A.A.S. in Networking Technologies
    A+, Network+, CCNA
  • dou2bledou2ble Member Posts: 160
    Here's an interesting article on GSM encryption. It was written in 2012 and says that in the US we use A5/1. "A5/1 is stronger, but not very strong. It uses a 64-bit key". Not sure if the encryption standard used has gotten better. This article also talks about SMS interception and MITM.
    encryption - How hard is it to intercept SMS (two-factor authentication)? - Information Security Stack Exchange

    This next article written in 2013 states that GSM encryption was hacked years ago so CDMA is considered more secure but not impenetrable and end to end encryption is recommended.
    phone - Which is safer, GSM or CDMA? - Information Security Stack Exchange
    2015 Goals: Masters in Cyber Security
Sign In or Register to comment.