Yahoo Deploys Passwordless Account Key Tool
In hopes of eliminating the password, at least on the company’s mobile apps, Yahoo on Friday deployed a stable version of its Account Key mechanism. The feature, essentially two-step authentication—without the first step—allows Yahoo users to log into the company’s Finance, Fantasy, Mail, Messenger, or Sports apps on iOS and Android devices. When users attempt to login to an app, they’ll receive a push notification on their device; from there they can simply tap and log in.
Related Posts Apple Counters FBI’s Backdoor Demand as Unconstitutional March 16, 2016 , 4:12 pm American Express Notifies Cardholders of Third-Party Breach March 16, 2016 , 1:40 pm DOJ Reportedly Eyeing WhatsApp Next in Battle on Crypto March 14, 2016 , 4:14 pm Assuming users stay logged into the apps on their phone, they’ll remain logged in, but won’t truly have access until they authenticate themselves and verify they’re using their device via the push notification. It’s the latest move the company has made to distance itself from passwords.
“Passwords can be a hassle – they’re easy to lose track of and forget, or they are weak passwords that are vulnerable to hacking,” Lovlesh Chhabra, Yahoo’s Product Manager, wrote on the company’s security blog. It was around this time last year that the company began floating the idea of on-the-go passwords. Similar to Account Key, users could phase out using their password and rely on their mobile phone to authenticate themselves.
After opting into the program, users could select to have an on demand password texted to them that they could use to login to Yahoo services. The company announced Account Key, which weaves in some concepts from their on-the-go passwords initiative, last October, claiming the mechanism was the latest part of its mission to “kill the password” and help usher in a “password-free future.” Privacy advocates have long bickered about the obsolescence of passwords but it’s still unclear exactly how far away the future Yahoo dreams of is.
Mozilla tried to rally internet denizens around an authentication system, Persona, in attempt to rid the web of passwords in 2011. The decentralized system relied on using email addresses to authenticate users; something developers claimed would prevent users from having to enter a password for every new site they visit. While Mozilla released beta versions of the Persona in 2012 and 2013, it announced in January that due to low adoption rates and limited resources it plans to decommission the tool by Nov. 30.
Nearly four years removed from a breach that spilled 450,000 of its users’ email addresses and passwords, Yahoo has maintained a progressive stance towards privacy in the last several years. At the tail end of last year, Bob Lord, the company’s Chief Information Security Officer, announced it would follow in the footsteps of Twitter and notify users of state-sponsored attacks.
It appears the company’s partnership with the independent bug bounty program HackerOne has proved beneficial as well. Since launching the program in 2013 Yahoo has closed 2,875 reports and awarded over $1 million to vulnerability researchers, including a hefty $10,000 bounty to Finnish researcher Jouko Pynnonen for a critical bug in Yahoo Mail in January this year.
Source | ThreatPost