Yahoo Account Key: Convenience Over Security

Passwords have had their time and day; now it is time for wireless access control

• By Hector Hoyos
• May 01, 2016

Many companies are developing new ways to handle access control and identity authentication for their customers to combat the increasing number of security breaches and the acknowledged flaws in the PIN and password model. Yahoo is the latest company to deploy a service aimed at replacing the password.

Yahoo recently released a funtion that allows its customers to log in to their email accounts “without a password.” The new service, called Yahoo Account Key, uses push notifications to provide a “fast and secure way” for customers to access their email accounts.

When using the service, one can easily arrive at the conclusion that Yahoo is focusing on convenience at the expense of security. The service is being promoted as a way to free customers from “memorizing complicated passwords, making signing in to [the] Yahoo Mail app easy as tapping a button.”

But, in reality, it still relies on the traditional password model since customers need their existing account credentials to enroll in the service. The feature is not groundbreaking in and of itself. It relies on one of the tenets of cyber security “something you have” and also appears to mirror the Apple security model, which relies on eco-system devices to ensure enrollment of any new ones. There are three parts to the Yahoo Account Key service: enrollment, certification and usage.

Enrollment: To start using the service, a Yahoo customer needs to download the new Yahoo Mail app from the Apple or Google Play stores. The user logs in to email with an existing username and password, turns on the Account Key functionality in Settings and registers his/her smartphone to the account. Certification: To use the Yahoo Account key from a laptop, desktop or new device, the user is asked to generate a GUID from the Yahoo Account Key on the mobile app.

Usage: Accessing email from the website will prompt a message that the Account Key was sent to the mobile device, and the user clicks “Yes” or “No” to allow or deny access.

Enrollment uses a two-factor approach, specifically username and password, plus the mobile device. After a device is certified (linked to the account), authentication then falls to a single factor – the Account Key – for usage, which makes up the bulk of activity.

The solution seemingly addresses one of the biggest problems with the PIN and password model, where people use simple passwords that are easily hacked or re-use the same password across several sites, because they have difficulty remembering multiple credentials.

There is no doubt that PINs and passwords must be eliminated across all industries – from financial services to healthcare to consumer services – to better protect consumers’ private information and reduce fraud. However, while Yahoo’s Account Key has some advantages over the traditional PIN and password model and is certainly a good first stab at making access easier for Yahoo customers, there are significant disadvantages, as well.

Clearly, the major advantage for the consumer is convenience. Once the link is established between the smartphone and the account, users only have to click a button on their device to get access to their email. Also, while a person will need the username and password to set up the Yahoo email account and enable the Account Key, he or she will only need to remember the email username thereafter. This alleviates the need to remember and track the password moving forward.

From a security perspective, however, the disadvantages far outweigh the advantages.

First, the solution requires a password for enrollment so the dependency on the traditional model is still present. And while providing access to online accounts based on who has access to a mobile device is certainly convenient for the consumer, it is not highly secure. All an unauthorized user would need to access an account is a person’s Yahoo username and the mobile phone. Also, since this solution provides devicespecific authentication, consumers will still need to manage their multiple physical devices, accounts and services. This is because many people use more than one authorization and/or messaging application. A user would also need to remember to de-authorize a device from those services if he or she changes devices or phone numbers.

Additionally, if someone loses or misplaces the device, the safe guard protecting the information is the passcode on the device, which is easily viewed or hacked. That is assuming a person uses a passcode on the device in the first place or a fingerprint in the case of Touch ID. If he or she doesn’t, the information is fully open to anyone finding or using the device.

Another major disadvantage is that the service depends on having cellular coverage. Without cell service, the Account Key authorization process does not work.

Then, there is the question of adoption. Will Yahoo’s customer base use the new authorization solution? It’s too soon to tell, but recent history at Yahoo shows that mass adoption is not guaranteed. The company debuted a password solution this past March called On-Demand, where U.S. customers could opt in to receive one-time passwords texted to their mobile phones when they wanted to log in to their account. However, one of Yahoo’s senior leaders was quoted in the news recently saying that only three or four percent of Yahoo’s 225 million monthly active users had implemented On-Demand passwords.

Another potential deterrent to adoption is that the Yahoo Account Key requires a smartphone. It also requires backup email addresses and phone numbers to be registered so that a person’s identity can be verified in the event that a device is lost or stolen. Some consumers may not have a smartphone, and those who do may not want to provide additional email and phone information.

To mitigate or remove these risks, a biometric authentication solution can be used in conjunction with, or in lieu of, the Yahoo Account Key so the “something you have”—your mobile device—is paired with “something you are”—your unique biometrics.

Biometrics and new biometric technologies ensure a more reliable, secure way to combat identity theft and fraud. Without biometric authentication, Yahoo is missing a key value attribute – tying a transaction to a non-repudiable biometric vector.

For example, biometric vectors in use today link a person to a device and an action. Augmenting the Yahoo service with a biometric authentication solution, like the Hoyos 1UApp, would reduce the attack surface during certification and usage, thus mitigating risk by filling in the gaps of single-factor authentication.

Removing the risks entirely would require replacing the Yahoo Account Key with a more robust solution like the Hoyos Labs BOPS ecosystem. BOPS seamlessly ensures that every action is biometrically tied to an individual, which provides the added benefit of non-repudiable transactions while providing unprecedented levels of security and convenience.

The BOPS ecosystem includes multiple biometrics, such as face, voice, fingerprint, iris and a new biometric technology called 4FingerID, all of which can be used in lieu of SMS-based security technologies like Yahoo Account Key. Specifically, 4FingerID provides the convenience factor, because it captures four fingerprints simultaneously using a smartphone. The phone’s flash is the light source so the technology can be used in any condition, and the resulting biometric provides 150 degrees of freedom and significantly better accuracy than today’s commonly used fingerprint model.

In conclusion, while Yahoo’s release of this new service makes for a more convenient way to access accounts than memorizing passwords, consumers likely do not understand the inherent risks of the Account Key security model. It may be acceptable for some consumers who handle low-risk data and transactions, but it should never be used if the data associated with their accounts requires a high level of privacy and security.

This article originally appeared in the May 2016 issue of Security Today.