Yahoo Account Key: Convenience Over Security
Passwords have had their time and day; now it is time for wireless access control
- By Hector Hoyos
- May 01, 2016
Many companies are developing new ways to handle access
control and identity authentication for their customers to
combat the increasing number of security breaches and the
acknowledged flaws in the PIN and password model. Yahoo
is the latest company to deploy a service aimed at replacing
the password.
Yahoo recently released a funtion that allows its customers to log in to their
email accounts “without a password.” The new service, called Yahoo Account
Key, uses push notifications to provide a “fast and secure way” for customers to
access their email accounts.
When using the service, one can easily arrive at the conclusion that Yahoo is focusing
on convenience at the expense of security. The service is being promoted as
a way to free customers from “memorizing complicated passwords, making signing
in to [the] Yahoo Mail app easy as tapping a button.”
But, in reality, it still relies on the traditional password model since customers
need their existing account credentials to enroll in the service.
The feature is not groundbreaking in and of itself. It relies on one of the tenets of
cyber security “something you have” and also appears to mirror the Apple security
model, which relies on eco-system devices to ensure enrollment of any new ones.
There are three parts to the Yahoo Account Key service: enrollment, certification
and usage.
Enrollment: To start using the service, a Yahoo customer needs to download
the new Yahoo Mail app from the Apple or Google Play stores. The user logs in
to email with an existing username and password, turns on the Account Key functionality
in Settings and registers his/her smartphone to the account.
Certification: To use the Yahoo Account key from a laptop, desktop or new
device, the user is asked to generate a GUID from the Yahoo Account Key on the
mobile app.
Usage: Accessing email from the website will prompt a message that the Account
Key was sent to the mobile device, and the user clicks “Yes” or “No” to
allow or deny access.
Enrollment uses a two-factor approach, specifically username and password, plus the mobile device. After a device is certified
(linked to the account), authentication then falls to
a single factor – the Account Key – for usage, which
makes up the bulk of activity.
The solution seemingly addresses one of the biggest
problems with the PIN and password model,
where people use simple passwords that are easily
hacked or re-use the same password across several
sites, because they have difficulty remembering multiple
credentials.
There is no doubt that PINs and passwords must
be eliminated across all industries – from financial
services to healthcare to consumer services – to better
protect consumers’ private information and reduce
fraud. However, while Yahoo’s Account Key
has some advantages over the traditional PIN and
password model and is certainly a good first stab at
making access easier for Yahoo customers, there are
significant disadvantages, as well.
Clearly, the major advantage for the consumer is
convenience. Once the link is established between the
smartphone and the account, users only have to click a
button on their device to get access to their email. Also,
while a person will need the username and password
to set up the Yahoo email account and enable the Account
Key, he or she will only need to remember the
email username thereafter. This alleviates the need to
remember and track the password moving forward.
From a security perspective, however, the disadvantages
far outweigh the advantages.
First, the solution requires a password for enrollment
so the dependency on the traditional model is
still present. And while providing access to online accounts
based on who has access to a mobile device is
certainly convenient for the consumer, it is not highly
secure. All an unauthorized user would need to access
an account is a person’s Yahoo username and the mobile
phone. Also, since this solution provides devicespecific
authentication, consumers will still need to
manage their multiple physical devices, accounts and
services. This is because many people use more than
one authorization and/or messaging application. A
user would also need to remember to de-authorize a
device from those services if he or she changes devices
or phone numbers.
Additionally, if someone loses or misplaces the
device, the safe guard protecting the information is
the passcode on the device, which is easily viewed or
hacked. That is assuming a person uses a passcode on
the device in the first place or a fingerprint in the case
of Touch ID. If he or she doesn’t, the information is
fully open to anyone finding or using the device.
Another major disadvantage is that the service depends
on having cellular coverage. Without cell service,
the Account Key authorization process does not work.
Then, there is the question of adoption. Will Yahoo’s
customer base use the new authorization solution?
It’s too soon to tell, but recent history at Yahoo
shows that mass adoption is not guaranteed.
The company debuted a password solution this past
March called On-Demand, where U.S. customers
could opt in to receive one-time passwords texted to
their mobile phones when they wanted to log in to
their account. However, one of Yahoo’s senior leaders
was quoted in the news recently saying that only three
or four percent of Yahoo’s 225 million monthly active
users had implemented On-Demand passwords.
Another potential deterrent to adoption is that the
Yahoo Account Key requires a smartphone. It also
requires backup email addresses and phone numbers
to be registered so that a person’s identity can be verified
in the event that a device is lost or stolen. Some
consumers may not have a smartphone, and those
who do may not want to provide additional email and
phone information.
To mitigate or remove these risks, a biometric authentication
solution can be used in conjunction with,
or in lieu of, the Yahoo Account Key so the “something
you have”—your mobile device—is paired with
“something you are”—your unique biometrics.
Biometrics and new biometric technologies ensure
a more reliable, secure way to combat identity theft
and fraud. Without biometric authentication, Yahoo
is missing a key value attribute – tying a transaction
to a non-repudiable biometric vector.
For example, biometric vectors in use today link a
person to a device and an action. Augmenting the Yahoo
service with a biometric authentication solution,
like the Hoyos 1UApp, would reduce the attack surface
during certification and usage, thus mitigating risk by
filling in the gaps of single-factor authentication.
Removing the risks entirely would require replacing
the Yahoo Account Key with a more robust solution
like the Hoyos Labs BOPS ecosystem. BOPS
seamlessly ensures that every action is biometrically
tied to an individual, which provides the added benefit
of non-repudiable transactions while providing
unprecedented levels of security and convenience.
The BOPS ecosystem includes multiple biometrics,
such as face, voice, fingerprint, iris and a new biometric
technology called 4FingerID, all of which can be used
in lieu of SMS-based security technologies like Yahoo
Account Key. Specifically, 4FingerID provides the convenience
factor, because it captures four fingerprints
simultaneously using a smartphone. The phone’s flash
is the light source so the technology can be used in any
condition, and the resulting biometric provides 150 degrees
of freedom and significantly better accuracy than
today’s commonly used fingerprint model.
In conclusion, while Yahoo’s release of this new
service makes for a more convenient way to access
accounts than memorizing passwords, consumers
likely do not understand the inherent risks of the
Account Key security model. It may be acceptable
for some consumers who handle low-risk data and
transactions, but it should never
be used if the data associated with
their accounts requires a high level
of privacy and security.
This article originally appeared in the May 2016 issue of Security Today.