The human brain hasn’t evolved to efficiently memorize myriad passwords that must include both numbers and letters, at least one upper-case letter and be at least eight characters long and dissimilar from previous passwords – and variations thereof, ad nauseum.
At least mine hasn’t.
Now Yahoo thinks it has a solution that could simplify the tedious process of logging into our proliferating digital accounts. The Silicon Valley giant is removing step one of the two-step authentication process, whereby users enter their password and the email provider subsequently sends a unique code to their mobile phone that the user then enters on the login screen.
The ‘on-demand’ phone-integrated password service means Yahoo Mail’s users will no longer need to enter a fixed password first; they’ll have the choice of simply entering the four-letter password sent to their phone via text.
However, a leading research analyst has poured scorn on Yahoo Mail’s innovation.
Yahoo’s idea “will enable opportunists to gain access to confidential information via borrowed or stolen mobile devices,” says Andrew Conway of Cloudmark. “It sounds smart but in reality, it could fuel a rise in snooping partners or phishing attacks.
“In the past there have been cases of snooping partners hacking Yahoo Mail accounts by using the security questions to reset a password. However, password resets are too conspicuous.”
Yahoo’s vice president of product management for consumer platforms Dylan Casey discussed the innovation at South by Southwest festival in Austin, Texas. “This is the first step to eliminating passwords,” he told delegates. “I don’t think we as an industry has done a good enough job of putting ourselves in the shoes of the people using our products.”
Jealous partners
But if the innovation makes logging into your email account less of a headache then paranoid or jealous partners could easily exploit the service’s vulnerability, Conway believes.
“With this new service, it will now be possible to hack into an email account by simply borrowing a partner’s phone to receive the text message that contains the password – and then just delete it. The snooper would then have access to their partner’s email with them being none the wiser.”
The new service could be vulnerable to phishing attacks too, he warns.
“There are lists of personal data including email addresses and phone numbers available on cybercrime forums. It is possible for a cybercriminal to purchase one of these lists and then attempt to log into a Yahoo Mail account by sending the associated phone number an SMS message requesting: “Please confirm access to your Yahoo Mail account by replying to this message with your access code.”
“Not everyone would fall for this, but the chances are that it would be a lot more effective than trying to break into accounts with genuine dual-factor authentication.
“In general, sending a password, even a temporary one, by plain text is prone to vulnerabilities and we may well see other attempts to exploit this via malware, man-in-the-middle or visual capture attacks.”
Listen to the IFSEC Insider podcast!
Each month, the IFSEC Insider (formerly IFSEC Global) Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.
Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.
