dfm covers
 
 

Yahoo announces innovative authentication mechanism

Print PDF
Monday, 23 March 2015 14:48 Written by . .

Yahoo announces innovative authentication mechanism
Yahoo announced recently, a new method of authentication for its services that relies solely on an on-demand generated password that is sent to the user's mobile phone number.
This is not two-factor authentication (which Yahoo already had), but rather single-factor authentication where the single factor is the user's mobile phone.


Yahoo announced recently, a new method of authentication for its services that relies solely on an on-demand generated password that is sent to the user's mobile phone number. This is not two-factor authentication (which Yahoo already had), but rather single-factor authentication where the single factor is the user's mobile phone. It seems that if someone obtains temporary access to a user's unlocked phone they could generate a Yahoo one-time password that allows them to log in. CNET also reports that the temporary password is 4-characters long, though since it's temporary and Yahoo likely has anti-brute force protections that might not be a problem.

*TK Keanini, CTO at Lancope advises that; "We need more innovation like this with authentication.  Passwords are just pieces of information and in all these strategies, we want to make it useful for the shortest amount of time but not be an administrative burden.  Yahoo knows that the most personal device on a person these days is their mobile phone and let's not stop here, let's keep innovating even more techniques to raise the cost to our attackers.

While only leveraging a single factor (something you have - your phone), the 
security of the system will depend on how secure that device remains over time. 
We will see a major shift by the attacker to target malware on these mobile 
platforms because of their larger role in the overall security of the 
individual.  It is also important these days to ensure that the mobile account 
is secure because you don't want attackers changing features like call 
forwarding and other features that can put them in the middle of this 
communication stream."

*Jared DeMott, principal security researcher at Bromium provided further ndorsements to this type of innovation, commenting that, "Passwords have been the weak link in many security incidents.  Recall the celebrity pictures stolen a while back due to password resets.  Even so, users have not rushed to the more secure two-factor authentication, because it is an extra step that they must do (or even know about, and know how to enable). Also, some users have expressed concern about providing a personal mobile number to ad companies like Yahoo!, Google, Facebook, etc.

Either way, it seems most users will do only what is required by default.  So if  companies are serious about better login security, the default choice will need  to be modified.  In light of that, it is good to see Yahoo! trying to address 
the password problem.  Potential drawbacks are of course: users without a  txt/data mobile, lost phones, etc - could now cause new grief.  But in  engineering, it’s about balancing the gains against the losses.  Time will tell 
if this is a better choice.

Certainly when Yahoo! first started offering email, many users would not have  had a mobile to do two-factor with.  Now, many will.  Times change.  So must 
appropriate login measures.  But balancing privacy, easy-of-use and recovery,  against security is always the trick."

 
Please make cache directory writable.
 

Submit an Article

Call for Articles

We are keen to publish new articles from all aspects of digital forensics. Click to contact us with your completed article or article ideas.

Featured Book

Learning iOS Forensics

A practical hands-on guide to acquire and analyse iOS devices with the latest forensic techniques and tools.

Meet the Authors

Angus Marshall

Angus Marshall is an independent digital forensic practitioner, author and researcher

 

Coming up in the Next issue of Digital Forensics Magazine

Coming up in Issue 41 on sale from November 2019:


Forensic Syntactical & Linguistic Investigation

Mark Iwazko presents a case study regarding a Forensic Syntactical & Linguistic investigation: Instructed by the Moscow General Council of one of the actual big four accountants. Read More »

Forensic Readiness: A Proactive Approach to Support Forensic Digital Analysis

An increasing number of criminal actions are inflicting financial and brand damage to organizations around the globe. An impressive number of such cases do not reach the courts, mainly because of the organization’s inefficiency to produce robust digital evidences that are acceptable in the courts of law. Read More »

Subscribe today


Using Error-Patterns for Attribution: An Applied Linguistics Technique

Corpus Linguistics within Second Language Acquisition has developed models of error patterns made by defined groups of second language learners. This knowledge base can be leveraged by a knowledgeable analyst to attribute content to a subset of authors. Read More »

Every Issue
Plus the usual Competition, Book Reviews, 360, IRQ, Legal

Click here to read more about the next issue