Yahoo Account Key: Convenience Over Security

Yahoo Account Key: Convenience Over Security

Passwords have had their time and day; now it is time for wireless access control

Many companies are developing new ways to handle access control and identity authentication for their customers to combat the increasing number of security breaches and the acknowledged flaws in the PIN and password model. Yahoo is the latest company to deploy a service aimed at replacing the password.

Yahoo recently released a funtion that allows its customers to log in to their email accounts “without a password.” The new service, called Yahoo Account Key, uses push notifications to provide a “fast and secure way” for customers to access their email accounts.

When using the service, one can easily arrive at the conclusion that Yahoo is focusing on convenience at the expense of security. The service is being promoted as a way to free customers from “memorizing complicated passwords, making signing in to [the] Yahoo Mail app easy as tapping a button.”

But, in reality, it still relies on the traditional password model since customers need their existing account credentials to enroll in the service. The feature is not groundbreaking in and of itself. It relies on one of the tenets of cyber security “something you have” and also appears to mirror the Apple security model, which relies on eco-system devices to ensure enrollment of any new ones. There are three parts to the Yahoo Account Key service: enrollment, certification and usage.

Enrollment: To start using the service, a Yahoo customer needs to download the new Yahoo Mail app from the Apple or Google Play stores. The user logs in to email with an existing username and password, turns on the Account Key functionality in Settings and registers his/her smartphone to the account. Certification: To use the Yahoo Account key from a laptop, desktop or new device, the user is asked to generate a GUID from the Yahoo Account Key on the mobile app.

Usage: Accessing email from the website will prompt a message that the Account Key was sent to the mobile device, and the user clicks “Yes” or “No” to allow or deny access.

Enrollment uses a two-factor approach, specifically username and password, plus the mobile device. After a device is certified (linked to the account), authentication then falls to a single factor – the Account Key – for usage, which makes up the bulk of activity.

The solution seemingly addresses one of the biggest problems with the PIN and password model, where people use simple passwords that are easily hacked or re-use the same password across several sites, because they have difficulty remembering multiple credentials.

There is no doubt that PINs and passwords must be eliminated across all industries – from financial services to healthcare to consumer services – to better protect consumers’ private information and reduce fraud. However, while Yahoo’s Account Key has some advantages over the traditional PIN and password model and is certainly a good first stab at making access easier for Yahoo customers, there are significant disadvantages, as well.

Clearly, the major advantage for the consumer is convenience. Once the link is established between the smartphone and the account, users only have to click a button on their device to get access to their email. Also, while a person will need the username and password to set up the Yahoo email account and enable the Account Key, he or she will only need to remember the email username thereafter. This alleviates the need to remember and track the password moving forward.

From a security perspective, however, the disadvantages far outweigh the advantages.

First, the solution requires a password for enrollment so the dependency on the traditional model is still present. And while providing access to online accounts based on who has access to a mobile device is certainly convenient for the consumer, it is not highly secure. All an unauthorized user would need to access an account is a person’s Yahoo username and the mobile phone. Also, since this solution provides devicespecific authentication, consumers will still need to manage their multiple physical devices, accounts and services. This is because many people use more than one authorization and/or messaging application. A user would also need to remember to de-authorize a device from those services if he or she changes devices or phone numbers.

Additionally, if someone loses or misplaces the device, the safe guard protecting the information is the passcode on the device, which is easily viewed or hacked. That is assuming a person uses a passcode on the device in the first place or a fingerprint in the case of Touch ID. If he or she doesn’t, the information is fully open to anyone finding or using the device.

Another major disadvantage is that the service depends on having cellular coverage. Without cell service, the Account Key authorization process does not work.

Then, there is the question of adoption. Will Yahoo’s customer base use the new authorization solution? It’s too soon to tell, but recent history at Yahoo shows that mass adoption is not guaranteed. The company debuted a password solution this past March called On-Demand, where U.S. customers could opt in to receive one-time passwords texted to their mobile phones when they wanted to log in to their account. However, one of Yahoo’s senior leaders was quoted in the news recently saying that only three or four percent of Yahoo’s 225 million monthly active users had implemented On-Demand passwords.

Another potential deterrent to adoption is that the Yahoo Account Key requires a smartphone. It also requires backup email addresses and phone numbers to be registered so that a person’s identity can be verified in the event that a device is lost or stolen. Some consumers may not have a smartphone, and those who do may not want to provide additional email and phone information.

To mitigate or remove these risks, a biometric authentication solution can be used in conjunction with, or in lieu of, the Yahoo Account Key so the “something you have”—your mobile device—is paired with “something you are”—your unique biometrics.

Biometrics and new biometric technologies ensure a more reliable, secure way to combat identity theft and fraud. Without biometric authentication, Yahoo is missing a key value attribute – tying a transaction to a non-repudiable biometric vector.

For example, biometric vectors in use today link a person to a device and an action. Augmenting the Yahoo service with a biometric authentication solution, like the Hoyos 1UApp, would reduce the attack surface during certification and usage, thus mitigating risk by filling in the gaps of single-factor authentication.

Removing the risks entirely would require replacing the Yahoo Account Key with a more robust solution like the Hoyos Labs BOPS ecosystem. BOPS seamlessly ensures that every action is biometrically tied to an individual, which provides the added benefit of non-repudiable transactions while providing unprecedented levels of security and convenience.

The BOPS ecosystem includes multiple biometrics, such as face, voice, fingerprint, iris and a new biometric technology called 4FingerID, all of which can be used in lieu of SMS-based security technologies like Yahoo Account Key. Specifically, 4FingerID provides the convenience factor, because it captures four fingerprints simultaneously using a smartphone. The phone’s flash is the light source so the technology can be used in any condition, and the resulting biometric provides 150 degrees of freedom and significantly better accuracy than today’s commonly used fingerprint model.

In conclusion, while Yahoo’s release of this new service makes for a more convenient way to access accounts than memorizing passwords, consumers likely do not understand the inherent risks of the Account Key security model. It may be acceptable for some consumers who handle low-risk data and transactions, but it should never be used if the data associated with their accounts requires a high level of privacy and security.

This article originally appeared in the May 2016 issue of Security Today.

Featured

  • Allegion, Comfort Technologies Implement Mobile Credentials at the Artisan Apartment Homes in Florida

    Artisan Apartment Homes, a luxury apartment complex in Dunedin, Florida, recently transitioned from mechanical keys to electronic locks and centralized system software with support from Allegion US, a leading provider of security solutions, technology and services, and Florida-based Comfort Technologies, which specializes in deploying multifamily access control, IoT devices and software management solutions. Read Now

  • Mall of America Deploys AI-Powered Analytics to Enhance Parking Intelligence

    Mall of America®, the largest shopping and entertainment complex in North America, announced an expansion of its ongoing partnership with Axis Communications to deploy cutting-edge car-counting video analytics across more than a dozen locations. With this expansion, Mall of America (MOA) has boosted operational efficiency, improved safety and security, and enabled more informed decision-making around employee scheduling and streamlining transportation for large events. Read Now

  • Security Industry Association Launches New “askSIA” AI Tool

    The Security Industry Association (SIA) has unveiled a brand-new SIA member benefit – askSIA, a conversational AI agent designed to help users get the most out of their SIA membership, easily access SIA resources and find the latest information on SIA’s training and courses, reports and publications, events, certification offerings and more. SIA members can easily find askSIA by visiting the SIA homepage or looking for the askSIA icon in the top left of webpages. Read Now

    • Industry Events
  • Industry Embraces Mobile Access, Biometrics and AI

    A combination of evolving workplace dynamics, technology innovation and new user expectations is changing how people enter and interact with physical spaces. Access control is at the heart of these changes. Combined with biometrics and AI, mobile access control has become increasingly crucial for deploying entry solutions that are seamless, secure and adaptive to user needs. Read Now

  • Sustainable Video Solution Delivered for Landmark City of London Office Development

    An advanced, end-to-end video solution from IDIS, with a focus on reducing waste and costs, has helped a major office development in the City of London align its security with sustainability objectives. Read Now

New Products

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.

  • QCS7230 System-on-Chip (SoC)

    QCS7230 System-on-Chip (SoC)

    The latest Qualcomm® Vision Intelligence Platform offers next-generation smart camera IoT solutions to improve safety and security across enterprises, cities and spaces. The Vision Intelligence Platform was expanded in March 2022 with the introduction of the QCS7230 System-on-Chip (SoC), which delivers superior artificial intelligence (AI) inferencing at the edge.

  • ResponderLink

    ResponderLink

    Shooter Detection Systems (SDS), an Alarm.com company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols.